E-Commerce Security and Fraud Issues and Protections: Learning Objectives
E-Commerce Security and Fraud Issues and Protections: Learning Objectives
E-Commerce Security and Fraud Issues and Protections: Learning Objectives
and Protections 10
The Problem
faculty, and networks are vulnerable to a variety of security The users are contacted via e-mail and alerted to the prob-
issues, many of which originate from social media websites lem. The system may even block the user’s access. In such an
such as Facebook and YouTube. The College encourages the event, the user can go to the student computer lab for prob-
use of social media as a collaborative, sharing, and learning lem resolution.
environment. Bandwidth is controlled only when classes are in session.
Social media is also a leading target for malware writers. Sources: Based on Goodchild (2011), SUNY (2014), and
With the large number of downloads, social media has oldwestbury.edu (accessed April 2016).
become an ideal place for cybercriminals to insert viruses and
hack into systems. Phishers use social engineering techniques
to deceive users into clicking on, or downloading malware. LESSONS LEARNED FROM THE CASE
Because of the various devices used by the students and
faculty, the College’s attempts to manage network security This case demonstrates two problems: possible mal-
were unsuccessful. Specifically, the attempt to use intelligent ware attacks and insufficient bandwidth. Both problems
agents (which some students objected to having on their can reduce the effectiveness of SUNY’s computerized
computers) as guards failed. system, interfering with students’ learning and faculty
The College had computer-use policies in place, but these teaching and research. The solution, in which the uni-
were established in the past for older computing environ- versity can monitor when users are on the university
ments. Since the old policies were not effective, the univer- network, look for any unusual activity, and take appro-
sity decided to rewrite its old usage policy to meet the needs priate action if needed, demonstrates one of the defense
of current technology. mechanisms used by an organization. The new polices
Bandwidth usage was a problem due to the extensive conflict with student privacy—a typical situation in
downloading of videos by faculty and students. The high security systems: the tighter the security, the less pri-
level usage for noneducational related activities sometimes vacy and flexibility people have. In this chapter, we
interfered with classroom or research needs. introduce the broad battlefield between attacks on infor-
mation systems and the defense of those systems. We
also present the issues of fraud in e-commerce and strat-
The Solution egies and policies available to organizations for deploy-
ing security measures.
All students, faculty, and staff received a user ID for com-
puter utilization. Next, a new usage policy was implemented.
This policy was communicated to all users and was enforced
by monitoring the usage for each ID, watching network traf-
fic, and performing behavioral analysis. 10.1 T
HE INFORMATION SECURITY
The policy covered all users, all devices, and all types of PROBLEM
usage, including mobile devices and the Internet. According
to SUNY College at Old Westbury (2014), the policy states Information security refers to a variety of activities and
that users should not expect full privacy when it comes to methods that protect information systems, data, and proce-
their e-mail messages or other online private information, dures from any action designed to destroy, modify, or degrade
including Internet usage records, and sets forth what infor- the systems and their operations. In this chapter, we provide
mation is collected by the university. Given that the IDs iden- an overview of the generic information security problems
tify the type of users (e.g., student or faculty), management and solutions as they relate to EC and IT. In this section, we
was able to set priorities in allocating bandwidth. look at the nature of the security problems, the magnitude of
Old Westbury is not alone in utilizing a policy to control the problems, and introduce some essential terminology of
Internet usage. Social Media Governance (socialmediagov- information security. For an overview, see John (2016) and
ernance.com) is a website that provides tools and instruc- Smith (2015).
tions regarding the control of computing resources where
social media is concerned.
What Is EC Security?
Spam, DoS,
Fraud by
Clogged
sellers
systems
Secured
Attacks on E-Commerce Attacking
social mobile devices,
networks systems
Social Business
engineering, continuity
Phishing (interrupting
EC)
On February 17, 2013, President Obama issued an execu- Security Risks in Mobile Devices
tive order for combating cyberwars. This order gave “federal
agencies greater authority to share ‘cyber threat’ information The major mobile devices security concerns are loss of
with the public sector.” devices that include sensitive information (66%); mobile
devices infected by malware (60%); theft of data from the
Security Risks for 2014 and 2015 device (44%); users downloading malicious apps (33%);
identity theft and other user personal loss (30%).
The major security risks for the near future are:
Attacking Information Systems major physical damage to the nuclear program, delaying it
by months or possibly even years. The attack was perpe-
The GhostNet attack was not an isolated case of cross-border trated using a sophisticated computer worm named Stuxnet.
cyberattacks. The U.S. Congress is working on legislation to This is an example of a weapon created by a country to
protect the country from what some call the “Cyber Pearl achieve a goal that otherwise may have been achieved only
Harbor” attack or a digital 9/11. In May 2014, the U.S. gov- by physical weapons. In apparent retaliation, Iranians and
ernment named five military people in China as responsible pro-Palestinian hackers attacked El-Al (Israel’s national air-
for stealing data and spying on several thousand companies line) and the country’s stock exchange. Iran is believed to
in the United States stealing trade secrets (Kravets 2014). have been behind a November 2012 attack on U.S. banks.
There is a clear shift in the nature of the operation of com- Many countries have cyberattackers (e.g., China, Russia,
puter criminals. In the early days of e-commerce, many Nigeria, Iran, and India). For an example of Iranian attacks
hackers simply wanted to gain fame or notoriety by defacing on U.S. banks, see Nakashima and Zapotosky (2016).
websites. Online File W10.1 illustrates a case of a criminal
who did not attack systems to make a profit. There are many
more criminals today, and they are more sophisticated. Most The Darknet and the Underground Economy
popular is the theft of personal information such as credit
card numbers, bank accounts, Internet IDs, and passwords. The darknet can be viewed as a separate Internet that can be
According to Privacy Rights Clearinghouse (privacyrights. accessed via the regular Internet and a connection to the
org), millions of records containing personal information are TOR network (TOR is a network of VPNs that allows pri-
breached every year. Criminals today are even holding data vacy and security on the Internet). The darknet has restricted
for ransom and trying to extort payments from their victims. access to trusted people (“friends”) by using nonstandard
An illustrative CNN video (2:30 min) titled “Hackers Are protocols (IP addresses are not listed). Darknet allows anon-
Holding Data for Ransom” is available at money.cnn.com/ ymous surfing. The darknet’s contents are not accessible
video/technology/2012/10/08/t-ransomware-hackers. through Google or other search engines. The TOR technol-
cnnmoney. In 2016, a hospital was forced to pay a ransom ogy is used in file sharing (e.g., in the well-known Pirate
(with Bitcoins) to get back its data, which were not backed Bay). The darknet is often used for political dissent and con-
up (see Winton 2016). CryptoLocker is a new ransomware ducting illegal transactions, such as selling drugs and pirat-
Trojan used for such crimes (see usatoday.com/story/news/ ing intellectual property via file sharing. The latter activity is
nation/2014/05/14/ransom-ware-computer-dark-web- known as the Internet underground economy. In November
criminal/8843633). 2014, law enforcement authorities in Europe and the United
Lemos (2016) provides a slide show that illustrates the 2016 States shut down many of TOR websites. But it seems they
top secret trends that includes ransomware and cyberspying. have not cracked TOR encryptions yet. In 2015, the U.S.
Note that laptop computers, tablets, and smartphones are government shut down a market for stolen personal data
stolen for two reasons: selling them (e.g., to pawn shops, and called Darkode. See Victor (2015).
on eBay) and trying to find the owners’ personal information
(e.g., social security number, driver’s license details, and so The Internet Underground Economy
forth). In January 2014, a former Coca-Cola employee stole
laptops containing information on 74,000 individuals belong- The Internet underground economy refers to the e-markets
ing to current and past employees of the company. The com- for stolen information made up of thousands of websites that
pany did not have a data loss prevention program in place, sell credit card numbers, social security numbers, e-mail
nor were the laptops encrypted. addresses, bank account numbers, social network IDs, pass-
A major driver of data theft and other crimes is the ability words, and much more. Stolen data are sold to spammers or
to profit from the theft. Today, stolen data are sold on the criminals for less than a dollar a piece to several hundred dol-
black market, which is described next. lars each. The purchasers use them to send spam or conduct
illegal financial transactions such as transferring other peo-
Computers Everywhere ple’s money into their own accounts or paying the spammers’
credit card bills. It is estimated that about 30% of all the trans-
As described in Chapter 6, computers are everywhere, from actions in the underground market are made with stolen credit
your home to your work, in study places, entertainment areas cards. Symantec estimates the potential worth of just the
etc. Even your car can be hacked (see Pagliery 2014b). credit cards and banking information for sale is about a bil-
lion annually. Forty-one percent of the underground economy
he Increased Volume of Wireless Activities
T is in the United States, while 13% is in Romania. For a dis-
and the Number of Mobile Devices cussion of the digital underground, see Goodman (2016).
Wireless networks are more difficult to protect than wireline. The Internet Silk Road
For example, many smartphones are equipped with near-field
communication (NFC) chips, which are necessary for mobile This is one of the underground sites where hundreds of drug
payments. Additionally, BYOD (Chapter 6) may create secu- dealers and other “black market” merchants conduct their
rity problems. Hackers can exploit the features of smartphones business. In October 2013, law enforcement authorities in the
and related devices (e.g., Bluetooth) with relative ease. United States shut down the site and arrested its founder, who
10.2 Basic E-Commerce Security Issues and Landscape 299
was sentenced to more than 20 years in jail. However, shortly the average annualized cost of cybercrime per company sur-
thereafter, Silk Road was “resurrected” as Silk Road 2.0. veyed was $7.2 million per year, which is an increase of 30%
Transactions on Silk Road are paid only by bitcoins from the previous year’s global cyber cost study. Data breaches
(Chapter 11). In February 2014, hackers stole over 4400 bit- can be very costly to organizations. For how organizations can
coins that were held in escrow (between buyers and sellers); be devastated by cyberattacks, see Kavilanz (2013). For an
over $2.7 million value of bitcoins are gone forever (see infographic regarding the cost of cyberattacks, see Alto
Pagliery 2014a). The owner of the Silk Road site declared (2016).
bankruptcy. However, by May 2014 the site was back in
business.
SECTION 10.1 REVIEW QUESTIONS
Keystroke Logging in the Underground Economy
1 . Define computer security.
Keystroke logging (keylogging) is the process of using a 2. List the major findings of the CSI most recent survey.
device or software program that tracks and records the activity 3. Describe the vulnerable design of the Internet.
of a user in real time (without the user’s knowledge or con- 4. Describe some profit-induced computer crimes.
sent) by the keyboard keys they press. Since personal informa- 5. Describe the Internet underground economy and the dark-
tion such as passwords and user names are entered on a net.
keyboard, the keylogger can use the keystrokes to obtain them. 6. Describe the dynamic nature of EC systems.
The Sophistication of the Attacks Cybercriminal: A person who intentionally carries out crimes
over the Internet.
Cybercriminals are sharpening their weapons continuously, Exposure: The estimated cost, loss, or damage that can result
using technological innovations. In addition, criminals are if a threat exploits a vulnerability.
getting organized in very powerful groups, such as LulzSec
and Anonymous. Cybercriminals change their tactics because Fraud: Any business activity that uses deceitful practices or
of improved security (i.e., they are adapting quickly to a devices to deprive another of property or other rights.
changing environment). Malware (malicious software): A generic term for mali-
cious software.
The Cost of Cybercrime
Phishing: A fraudulent process of attempting to acquire sen-
sitive information by masquerading as a trustworthy entity.
It is not clear how much cybercrime costs. Many companies
do not disclose their losses. However, HP Enterprise Security’s Risk: The probability that a vulnerability will be known and
“2013 Cost of Cyber Crime Study: Global Report” found that used.
300 10 E-Commerce Security and Fraud Issues and Protections
Computer
Attackers
Information Defenders and Methods
Methods
Systems
Software, Regulations,
Hardware, Policy,
Prevention, Strategy,
Intentional Hardware, Detection, Compliance,
criminals, Software, Deterrence Privacy,
Unintentional procedures, (punishments), Protenction,
natural disasters, E-Mail, Remote backup, Cost-benefit,
Malfunctions, Equipment, E-mail defense, Span protection,
Human errors Networks Business Spyware
continuity, protection,
Controls Vulnerability
assessment
People System,
Nontechnical
User,
defense
Defense
The Legal
Recovery System
Social engineering: A type of nontechnical attack that uses • The security defense, the defenders, and their methods and
some ruse to trick users into revealing information or per- strategy
forming an action that compromises a computer or network.
Spam: The electronic equivalent of junk mail. The Threats, Attacks, and Attackers
Vulnerability: Weakness in software or other mechanism
that threatens the confidentiality, integrity, or availability of Information systems, including EC, are vulnerable to both
an asset (recall the CIA model). It can be directly used by a unintentional and intentional threats.
hacker to gain access to a system or network.
Unintentional Threats
Zombie: Computers infected with malware that are under
the control of a spammer, hacker, or other criminal. Unintentional threats fall into three major categories: human
Definitions of these terms are provided at webopedia. error, environmental hazards, and malfunctions in the com-
com/TERM. puter system.
ways. Software programs can be manipulated. Procedures and when it is on the Web. Online piracy occurs when illegal soft-
policies may be altered, and much more. Vulnerable areas are ware is downloaded from a peer-to-peer network. An exam-
frequently attacked. ple is the pirating of live sports events. At stake are millions
of dollars in lost revenue to sports leagues and media compa-
Vulnerability Information nies. These institutions are joining forces in lobbying for
stronger copyright legislation and by filing lawsuits against
A vulnerability is where an attacker finds a weakness in the violators. For facts and statistics about online piracy, see
system and then exploits that weakness. Vulnerability creates articles.latimes.com/2013/sep/17/business/la-fi-ct-piracy-
opportunities for attackers to damage information systems. bandwith-20130917.
MITRE Corporation publishes a dictionary of publicly known
security vulnerabilities called common vulnerabilities and
exposures (CVE) (cve.mitre.org). Exposure can result when EC Security Requirements
a cybercriminal exploits a vulnerability. See Microsoft’s guide
to threats and vulnerabilities at technet.microsoft.com/en-us/ Good security is a key success factor in EC.
library/dd159785.aspx. The following set of security requirements are used to
assure success and to minimize EC transaction risks:
Attacking E-Mail
One of the easiest places to attack is a user’s e-mail, since it
travels via the unsecured Internet.
• Authentication. Authentication is a process used
Attacking Smartphones and Wireless Systems to verify (assure) the real identity of an EC entity,
Since mobile devices are more vulnerable than wired sys- which could be an individual, software agent, com-
tems, attacking smartphones and tablets is becoming popular puter program, or EC website. For electronic mes-
due to the explosive growth of mobile computing. According sages, authentication verifies that the sender/receiver
to Fink (2014), hackers can steal your phone password wear- of the message is who the person or organization
ing digital glasses. claims to be. (The ability to detect the identity of a
person/entity with whom you are doing business.)
The Vulnerability of RFID Chips • Authorization. Authorization is the provision of
These chips are embedded everywhere, including in credit permission to an authenticated person to access sys-
cards and U.S. passports. Cards are designed to be read from tems and perform certain operations in those spe-
some distance (contactless), which also creates a vulnerability. cific systems.
When you carry a credit card in your wallet or pocket, anyone • Auditing. When a person or program accesses a
with an RFID reader that gets close enough to you may be able website or queries a database, various pieces of
to read the RFID information on your card. For a presentation, information are recorded or logged into a file. The
watch the video “How to Hack RFID-Enabled Credit Cards process of maintaining or revisiting the sequence of
for $8 (BBtv)” at youtube.com/watch?v=vmajlKJlT3U. events during the transaction, when, and by whom,
is known as auditing.
The Vulnerabilities in Business IT and EC Systems • Availability. Assuring that systems and information
are available to the user when needed and that the
Vulnerabilities can be of technical nature (e.g., unencrypted site continues to function. Appropriate hardware,
communications; insufficient use of security programs and software, and procedures ensure availability.
firewalls) or they can possess organizational weaknesses (e.g., • Nonrepudiation. Closely associated with authenti-
lack of user training and security awareness, and an insider cation is nonrepudiation, which is the assurance
who steals data and engages in inappropriate use of business that online customers or trading partners will not be
computers). able to falsely deny (repudiate) their purchase,
transaction, sale, or other obligation. Nonrepudiation
irated Videos, Music, and Other
P involves several assurances, including providing
Copyrighted Material proof of delivery from the sender and proof of
sender and recipient identities and the identity of
It is relatively easy to illegally download, copy, or distribute the delivery company.
music, videos, books, software, and other intellectual p roperty
10.3 Technical Malware Attack Methods: From Viruses to Denial of Service 303
Authentication and nonrepudiation are potential defenses hackers and help the defense. Unfortunately, in many cases
against phishing and identity theft. To protect and ensure the punishment is too light to deter the cybercriminals.
trust in EC transactions, digital signatures, or digital certifi-
cates, are often added to validate the senders and the times of Defense Methods and Technologies
the transactions so buyers are not able to deny that they
authorized a transaction or that it never occurred. There are hundreds of security defense methods, technolo-
gies, and vendors and these can be classified in different ways
so their analyses and selection may be difficult. We introduce
he Defense: Defenders, Strategy,
T only some of them later in this chapter.
and Methods
Recovery
Everybody should be concerned about security. However, in In security battles, there are winners and losers in each secu-
a company, the information systems department and security rity episode, but it is difficult to win the security war. There are
vendors provide the technical side, while management pro- many reasons for this. On the other hand, organizations and
vides the administrative aspects. Such activities are done via individuals usually recover after a security breach. Recovery
security and strategy procedures that users need to follow. is especially critical in cases of a disaster or a major attack,
and it must be speedy. Organizations need to continue their
EC Defense Programs and Strategy business until the information systems are fully restored, and
they need to restore them fast. This is accomplished by acti-
An EC security strategy consists of multiple layers of vating business continuity and disaster recovery plans.
defense that includes several methods. This defense aims to Because of the complexity of EC and network security,
deter, prevent, and detect unauthorized entry into an organi- comprehensive coverage requires an entire book, or even sev-
zation’s computer and information systems. Deterrent eral books. Here we cover only selected topics. Those readers
methods are countermeasures that make criminals abandon interested in a more comprehensive discussion should see the
their idea of attacking a specific system (e.g., a possible Pearson/Prentice Hall Security Series of security books and
deterrent is a realistic expectation of being caught and pun- also conduct a Google search.
ished). Prevention measures help stop unauthorized people
from accessing the EC system (e.g., by using authentication
devices and firewalls or by using intrusion prevention which SECTION 10.2 REVIEW QUESTIONS
is, according to TechTarget, “a preemptive approach to net-
work security used to identify potential threats and respond 1. List five major EC security terms.
to them swiftly”). Detection measures help find security 2. Describe the major unintentional security hazards.
breaches in computer systems. Usually this means to find out 3. List five examples of intentional EC security crimes.
whether intruders are attempting (or have attempted) to 4. Describe the security battleground, who participates,
break into the EC system, whether they were successful, and how. What are the possible results?
whether they are still damaging the system, and what dam- 5. Define hacker and cracker.
age they may have done. 6. List all security requirements and define authentication
and authorization requirements.
Information Assurance 7. What is nonrepudiation?
Making sure that a customer is safe and secure while shop- 8. Describe vulnerability and provide some examples of
ping online is a crucial part of improving the online buyer’s potential attacks.
experience. Information assurance (IA) is measures taken 9. Describe deterring, preventing, and detecting in EC secu-
to protect information systems and their processes against all rity systems.
risks. 10. What is a security strategy, and why it is needed?
Possible Punishment
10.3 T
ECHNICAL MALWARE ATTACK
A part of the defense is to deter criminals by punishing them METHODS: FROM VIRUSES
heavily if they are caught. Judges now are giving more and TO DENIAL OF SERVICE
harsher punishments than a decade ago. For example, in
March 2010, a federal judge sentenced 28-year-old TJX There are many ways criminals attack information systems
hacker Albert Gonzalez to 20 years in prison for his role in and users. Here, we cover only major representative methods.
stealing millions of credit and debit card numbers and selling It is helpful to distinguish between two common types
them. Such severe sentences send a powerful message to of attacks—technical (which we discuss in this section)
304 10 E-Commerce Security and Fraud Issues and Protections
and nontechnical (or organizational), which we discuss in alware (Malicious Code): Viruses, Worms,
M
Section 10.4. and Trojan Horses
Worms code. Users are tricked into executing an infected file, where it
attacks the host, anywhere from inserting pop-up windows to
Unlike a virus, a worm can replicate itself automatically (as a damaging the host by deleting files, spreading malware, and so
“standalone”—without any host or human activation). Worms forth. The name is derived from the Trojan horse in Greek
use networks to propagate and infect a computer or handheld mythology. Legend has it that during the Trojan War, the city
device and can even spread via instant messages or e-mail. In of Troy was presented with a large wooden horse as a gift to
addition, unlike viruses that generally are confined within a the goddess Athena. The Trojans hauled the horse inside the
target computer, a worm can infect many devices in a network city gates. During the night, Greek soldiers who were hiding in
as well as degrade the network’s performance. According to the hollow horse opened the gates of Troy and let in the Greek
Cisco, “worms either exploit a vulnerability on the target sys- army. The army was able to take the city and win the war.
tem or use some kind of social engineering to trick users into Trojans spread only by user interaction (e.g., such as
executing them.” Because worms spread much more rapidly opening an under the guise of an e-mail allegedly sent by
than viruses, they may be more dangerous. Verizon), and there are many variants of Trojans (e.g., Zeus,
W32).
Macro Viruses and Microworms
A macro virus (macro worm) is a malware code that is Example 1: Trojan-Phisher-Rebery
attached to a data file rather than to an executable program In 2006, a variant of a Trojan horse program named Trojan-
(e.g., a Word file). According to Microsoft, macro viruses can Phisher-Rebery was used to steal tens of thousands of identities
attack Word files as well as any other application that uses a from people in 125 different countries. The Rebery malicious
programming language. When the document is opened or software is an example of a banking Trojan, which is pro-
closed, the virus can spread to other documents on the com- grammed to create damage when users visit certain online
puter’s system. For information about Word macro viruses, see banking or e-commerce sites. For an infographic describing the
Microsoft Support at support.microsoft.com/kb/187243/en. state of financial Trojans see Symantec (2014).
Computer programs that are very similar to viruses are worms
and Trojan horses. Example 2: The DDOS Attacks on WordPress
In March 2014, hackers used a botnet to attack more than
Trojan Horse 162,000 WordPress sites. Given that WordPress powers about
A Trojan horse is a program that seems to be harmless or 17% of the world’s blogging websites, any attack can be
even looks useful but actually contains a hidden malicious devastating.
306 10 E-Commerce Security and Fraud Issues and Protections
Some Security Bugs: Heartbleed and Crytolocker networks, especially Facebook and Twitter. An example of
such an attack is described in Online File W10.1.
Two dangerous computer bugs were discovered in 2013 and DoS attacks can be difficult to stop. Fortunately, the security
2014. community has developed tools for combating them. For com-
prehensive coverage, see us-cert.gov/ncas/tips/ST04-015.
Heartbleed Note: In 2014, a hacking group called Lizard Stresser
According to Russell (2014) “Heartbleed is a flaw in OpenSSL, offered to take down any website by employing DoS, for a
the open-source encryption standard used by the majority of fee of $3 (see Goldman 2014b).
websites that need to transmit the data that users want to keep
secure. It basically gives you a secure line when you’re send- Botnets
ing an e-mail or chatting on IM.”
The potential damage may be large. In theory, any data kept According to the Microsoft Safety and Security Center, a
in the active memory can be pulled out by the bug. Hackers botnet (also known as “zombie army”) is malicious software
can even steal encryption keys that enable them to read that criminals distribute to infect a large number of hijacked
encrypted messages. About 650 million websites may be Internet connected computers controlled by hackers. These
affected. The only advice provided by experts is to change the infected computers then form a “botnet,” causing the per-
online passwords. sonal computer to “perform unauthorized attacks over the
Internet” without the user’s knowledge. Unauthorized tasks
Cryptolocker include sending spam and e-mail messages, attacking comput-
Discovered in September 2013, Cryptolocker is a ransom- ers and servers, and committing other kinds of fraud, causing
ware Trojan bug. This malware can come from many sources the user’s computer to slow down (microsoft.com/security/
including e-mail attachments; can encrypt files on your com- resources/botnet-whatis.aspx).
puter, so that you cannot read these files. The malware owner Each attacking computer is considered computer robot. A
then offers to decrypt the data in exchange for a bitcoin or botnet made up of 75,000 systems infected, in 2010, with
similar untraceable payment system. Zeus Trojan contaminated computers. Botnets are used in
For information on what to do if you are being black- scams, spams, frauds, or just to damage systems (as in the
mailed and how to protect yourself see Cannell (2013). hospital case described in Online File W10.1). Botnets appear
in different forms and can include worms or viruses. Famous
Denial of Service botnets include Zeus, Srizbi, Pushdo/Cutwail, Torpig, and
Conficker.
According to Incapsula, Inc., a denial-of-service (DoS)
attack is “a malicious attempt to make a server or network Example: Rustock
resource unavailable to users, usually by temporarily inter- Rustock was a botnet made up of about one million hijacked
rupting or suspending the services of a host connected to the PCs, which evaded discovery for years. The botnet, which
Internet.” This causes the system to crash or become unable sent out up to 30 billion spam messages per day, placed
to respond in time, so the site becomes unavailable. One of “booby trapped” advertisements and links on websites vis-
the most popular types of DoS attacks occurs when a hacker ited by the victims. The spammers camouflaged the updates
“floods” the system by overloading the system with “useless to PCs to look like comments in discussion boards, which
traffic” so a user is prevented from accessing their e-mail, made them hard to find by security software. Microsoft was
websites, etc. one of the companies that helped shut down Rustock. In
Note: A DoS attack is a malicious attack caused by one 2013, Microsoft and the FBI “disrupted” over 1000 botnets
computer and one Internet connection as opposed to a DDos used to steal banking information and identities. Both
attack, which involves many devices and multiple Internet Microsoft and the FBI had been trying to take down the mal-
connections (to be discussed later). An attacker can also use ware “Citadel,” which affected millions of people located in
spam e-mail messages to launch a similar attack on your more than 90 countries. For an analysis of malicious botnet
e-mail account. A common method of launching DoS attacks attacks, see Katz (2014).
is by using zombie (hijacked) computers, which enable the
hijacked computer to be controlled remotely by a hacker Home Appliance “Botnet”
without the knowledge of the computer’s owner. The zombie The Internet of Things (IoT) can also be hacked. Since par-
computer (also known as a “botnet”) launches an over- ticipating home appliances have a connection to the Internet,
whelming number of requests toward an attacked website, they can become computers that can be hacked and con-
creating the DoS. For example, DoS attackers target social trolled. The first home attack, which involved television sets
10.4 Nontechnical Methods: From Phishing to Spam and Fraud 307
and at least one refrigerator, occurred between December 10.4 NONTECHNICAL METHODS:
2013 and January 2014, and was referred to as “the first FROM PHISHING TO SPAM
home appliance ‘botnet’ and the first cyberattack from the AND FRAUD
Internet of Things.” Hackers broke into more than 100,000
home appliances and used them to send over 750,000 mali- As discussed in Section 10.1, there has been a shift to profit-
cious e-mails to enterprises and individuals worldwide (see related Internet crimes. These crimes are conducted with the
Bort 2014). help of both technical methods, such as malicious code that
can access confidential information that may be used to steal
Malvertising money from your online bank account, and nontechnical meth-
ods, such as social engineering.
According to Techopedia, malvertising is “a malicious form
of Internet advertising used to spread malware.” Malvertising
is accomplished by hiding malicious code within relatively Social Engineering and Fraud
safe online advertisements (see techopedia.com/definition/
4016/malvertising). Social engineering refers to a collection of methods where
Note that hackers are targeting ads at accelerating rates. criminals use human psychology to persuade or manipulate
For example, in 2013, Google disabled ads from over people into revealing their confidential information, or their
400,000 sites that were hiding malware (see Yadron 2014). A employment information so they can collect information
final word: If you get an e-mail that congratulates you on for illegal activities. The hacker may also attempt to get
winning a large amount of money and asks you to “Please access to the user’s computer in order to install malicious
view the attachment,” don’t! software that will give hackers control over the person’s
computer. The major social engineering attacks are phish-
ing (several submethods; typically, a phisher sends an
SECTION 10.3 REVIEW QUESTIONS e-mail that appears to come from a legitimate source), pre-
texting (e.g., an e-mail allegedly sent from a friend asking
1. Describe the difference between a nontechnical and a for money), and diversion theft (when a social engineer
technical cyberattack. convinces a courier company that he is the real recipient of
2. What are the major forms of malicious code? the package but it should be “rerouted” to another address,
3. What factors account for the increase in malicious code? whereupon the social engineer accepts the package). Once
4. Define a virus and explain how it works. information is obtained from a victim (e.g., via phishing), it
5. Define worm and Trojan horse. is used for committing crimes, mostly for financial gain, as
6. Define DoS. How are DoS attacks perpetrated? shown in Figure 10.5. The growth rate of unpatched vulner-
7. Define server. abilities and the volume of e-mail scam/phishing activities
8. Describe botnet attacks. are increasing rapidly.
Commit
Financial
Fraud/Crime
2
4A 1 Phishing
Criminal Methods
4B
Sell in Phishers
5
Underground
E-Market
308 10 E-Commerce Security and Fraud Issues and Protections
As you can see in the figure, phishers (or other criminals) into contacting phony customer service representatives and
obtain confidential information by using methods ranging handing over personal account data. Scammers have now tar-
from social engineering to physical theft. The stolen infor- geted other companies, such as AT&T and Comcast, by draw-
mation (e.g., credit card numbers, users’ identity) is used by ing users to fake websites via phony sponsored ads (Casti
the thieves to commit fraud for financial gain, or it is sold in 2014b). For 2015 phishing attacks, see Lemos (2016). Also see
the underground Internet marketplace to another set of crimi- Forrest (2016) for why phishing gets more dangerous.
nals, who then use the information to conduct financial crimes Selling stolen information, like selling any stolen goods,
themselves. For details see Wollen (2016). In this section, we can be profitable and unstoppable. Unfortunately, potential
will describe how phishing, which is a subset of social engi- e-commerce customers list “the potential risk of fraud,” and
neering, is used. “the mistrust of online merchants that you do not know” as
their primary reasons for not shopping online.
Any e-mail you receive asking for personal details is most For information and protection, see idtheftcenter.org and
likely a scam or phishing attempt since a legitimate organiza- fdic.gov/consumers/theft.
tion will already have all your personal information. For tips
from Yahoo! on how to protect yourself online, see Yahoo!
Safety (safety.yahoo.com). Cyber Bank Robberies
IT security site Secpoint.com provides a list of the top ten Example: Secureworks.com
security-related attacks on the following topics: Top viruses, Secureworks.com uncovered the following check fraud opera-
spyware, spam, worms, phishing, hacker attacks, and hack- tions: Russian cybercriminals used “money mules” (people
ers and social engineering tactics. In addition, the site pro- who thought they were signing up for a legitimate job), 2000
vides related pages on IT security resources such as the top computers, and sophisticated hacking m
ethods to steal archived
ten hackers; top ten security tips and tools; pages relating to check images from five companies, and wire the collected
Anti phishing, Anti DoS, Anti spam, and more. For SecPoint money overseas.
IT resources for top ten spam attacks, see secpoint.com/Top- Next, the scammers printed counterfeit checks, which the
10-Spam-Attacks.html. money mules deposited in their own accounts. Then, the
mules were ordered to wire (transfer) the money to a bank in
Russia. The “mules,” as usual, were innocent people who
Identity Theft and Identify Fraud were hired and paid to do the transfer. Some of the mules
became suspicious and reported the scam to the authorities.
Identity theft, according to the United States Department of
Justice website, is a crime. It refers to wrongfully obtaining
and using the identity of another person in some way to com- Spam Attacks
mit crimes that involve fraud or deception (e.g., for economic
gain). Victims can suffer serious damages. In many countries, E-mail spam, also known as junk e-mail or just spam,
it is a crime to assume another person’s identity. According occurs when almost identical messages are e-mailed to
to the U.S. Federal Trade Commission (ftc.gov), identity many recipients in bulk (sometimes millions of unsolicited
theft is one of the major concerns of EC shoppers. According e-mails). According to Symantec, in April 2009, over 90%
to the FTC statistics, identity theft affects over 12 million of messages on corporate networks were e-mail spam.
Americans each year, for a loss of over $55 billion, and is Nearly 58% of spam came from botnets, the worst called
growing about 20% annually. For an entertaining comedy, Dotnet. The situation is better today (2016) due to improved
see the 2013 movie “Identity Thief.” filtering of junk mail. Spammers can purchase millions of
e-mail addresses, and then format the addresses, cut and
Example paste the messages and press “send.” Mass e-mail software
According to Constantin (2016), identity thieves stole 100,000 that generates, sends, and automates spam e-mail sending is
social security numbers and other personal data from the U.S. called Ratware. The messages can be advertisements (to
IRS files. buy a product), fraud-based, or just annoying viruses. For
current statistics on spam, see securelist.com/statistics.
Identity Fraud Securelist is a comprehensive site that also provides descrip-
tions of spam and viruses, a glossary, and information on
Identity fraud refers to assuming the identity of another per- threats. More than 130 billion spam e-mails are sent each
son or creating a fictitious person and then unlawfully using day as of 2013, but this growth rate has stabilized. Note that
that identity to commit a crime. Typical activities include: approximately 80% of all spam is sent by fewer than 200
spammers. These spammers are using spyware and other
• Opening a credit card account in the victim’s name tools mostly for sending unsolicited advertising. The spam-
• Making a purchase using a false identity (e.g., using anoth- mers are getting more and more sophisticated (e.g., see
er’s identity to buy goods) Kaiser 2014).
• Business identity theft is using another’s business name to
obtain credit or to get into a partnership Typical Examples of Spamming
• Posing as another to commit a crime
• Conducting money laundering (e.g., organized crime) Each month Symantec provides a report titled “The State of
using a fake identity Spam: A Monthly Report.” The report provides examples of
10.4 Nontechnical Methods: From Phishing to Spam and Fraud 311
current popular scams, categories of spam, originating coun- pam in Social Networks and in the Web
S
tries, volume, and much more. 2.0 Environment
• Users may unknowingly insert malicious code into A data breach (also known as data leak or data loss) is a
their profile page, or even their list of friends. security incident in which data are obtained illegally and then
• Most anti-spam solutions cannot differentiate between published or processed. There are many purposes for data
real and criminal requests to connect to a network. breaches. For instance, one person in the U.S. military used a
This enables criminals to obtain personal information USB to download classified information and then posted the
about the members in a network. stolen information on the Internet. For drivers of data
• Facebook and other popular social networking sites breaches and how to protect yourself, see Goldman (2014a).
offer free, useful, attractive applications. These appli- For the most frightening data breaches, see TechRepublic
cations may have been built by developers who used Staff (2015).
weak security. The discussion so far has concentrated on attacks. Defense
• Scammers may create a fake profile and use it in a mechanisms, including those related to spam and other
phishing scam. cybercrimes, are provided in Section 10.6. First, let us exam-
ine what is involved in assuring information security.
312 10 E-Commerce Security and Fraud Issues and Protections
Biometric systems can identify a previously registered set of procedures or mathematical algorithms used to encrypt
person by searching through a database for a possible match or decrypt a message. Typically, the algorithm is not the secret
based on the person’s observed physical, biological, or piece of the encryption process. The key (key value) is the
behavioral traits, or the system can verify a person’s identity secret piece used with the algorithm to encrypt (or decrypt)
by matching an individual’s measured biometric traits the message. For how encryption works, see computer.how-
against a previously stored version. stuffworks.com/encryption.htm.
Examples of biometric features include fingerprints, facial The major benefits of encryption are as follows:
recognition, DNA, palm print, hand geometry, iris recogni-
tion, and even odor/scent. Behavioral traits include voice ID,
typing rhythm (keystroke dynamics), and signature verifica-
• Allows users to carry data on their laptops, mobile
tion. A brief description of some of these follows:
devices, and storage devices (e.g., USB flash drives).
• Protects backup media while people and data are
offsite.
• Allows for highly secure virtual private networks
• Thumbprint or fingerprint. A thumb- or finger- (VPNs; see Section 10.7).
print (finger scan) of users requesting access is • Enforces policies regarding who is authorized to han-
matched against a template containing the finger- dle specific corporate data.
prints of authorized people (e.g., used by Apple Pay). • Ensures compliance with privacy laws and govern-
• Retinal scan. A match is sought between the pat- ment regulations, and reduces the risk of lawsuits.
terns of the blood vessels in the retina of the access • Protects the organization’s reputation and secrets.
seekers against the retinal images of authorized peo-
ple stored in a source database.
• Voice ID (voice authentication). A match is sought
between the voice pattern of the access seekers and Encryption has two basic options: the symmetric system,
the stored voice patterns of the authorized people. with one secret key, and the asymmetric system, with two
• Facial recognition. Computer software that views keys.
an image or video of a person and compares it to an
image stored in a database (used by Amazon.com Symmetric (Private) Key Encryption
and Alibaba).
• Signature recognition. Signatures of access seekers In a symmetric (private) key encryption, the same key is
are matched against stored authentic signatures. used to encrypt and decrypt the plaintext (see Figure 10.8).
The sender and receiver of the text must share the same key
without revealing it to anyone else—making it a so-called
private system.
Note that Alibaba is using facial recognition for online A strong key is only one requirement. Transferring the
payments. You scan your face in front of the camera in your key between individuals and organizations may make it inse-
smartphone (see Kan 2015 for details). Amazon is using a cure. Therefore, in EC, a PKI system is used.
similar system (Hinckley 2016).
Other biometrics types are thermal infrared face recogni- Public Key Infrastructure
tion, hand geometry, and hand veins. For details, compari-
sons with regard to human characteristics, and cost–benefit A public key infrastructure (PKI) is a comprehensive
analyses, see findbiometrics.com/solutions. framework for securing data flow and information exchange
that overcomes some of the shortcomings of the one-key sys-
Encryption and the One-Key (Symmetric) System tem. For example, the symmetric one-key encryption requires
the writer of a message to reveal the key to the message’s
Encryption is the process of encoding data into a form recipient. A person that is sending a message (e.g., vendor)
(called a ciphertext) that will be difficult, expensive, or time- may need to distribute the key to thousands of recipients (e.g.,
consuming for an unauthorized person to understand. All buyers), and then the key probably would not remain secret.
encryption methods have five basic components: plaintext, The PKI solution is using two keys, public and private, as
ciphertext, an encryption algorithm, the key, and key space. well as additional features that create a highly secured sys-
Plaintext is a human-readable text or message. Ciphertext tem. In addition to the keys, PKI includes digital signatures,
is an encrypted plaintext. The encryption algorithm is the hash digests (function), and digital certificates.
316 10 E-Commerce Security and Fraud Issues and Protections
Sender Receiver
Modem
Fire
wal Fire
l wal
l
External Firewall
Internal Firewall
Internet
No matter how protected an organization is, it still can be a he Defense III: General Controls,
T
target for attempted security attacks. For example, most Spam, Pop Ups, and Social Engineering
organizations have antivirus software, yet they are subjected Controls
to virus attacks by new viruses. This is why an organization
must continually monitor for attempted, as well as actual, The objective of IT security management practices is to defend
security breaches. The monitoring can be done by using information systems. A defense strategy requires several
intrusion detectors. controls.
An intrusion detection system (IDS) is a device com- The major types of controls are: (1) General controls,
posed of software and/or hardware designed to monitor the which are designed to protect all system applications. (2)
activities of computer networks and computer systems in Application controls guard applications. In this and the fol-
order to detect and define unauthorized and malicious attempts lowing sections, we discuss representative types of these two
to access, manipulate, and/or disable these networks and sys- groups of information system controls. Later in the section,
tems. For details, the technology, benefits, and limitations, see we cover spam and fraud mitigation.
318 10 E-Commerce Security and Fraud Issues and Protections
General, Administrative, and Other Controls becomes a necessity for any successful social networking
initiative.
The major categories of general controls are physical Social networking spans many different applications and
controls, administrative controls, and other controls. A brief services. Therefore, many methods and tools are available to
description of general controls is provided next. defend such systems. Many of the solutions are technical in
nature and are outside the scope of this book.
Physical Controls
Physical controls protect computer facilities and resources, Protecting Against Phishing
including the physical area where computing facilities are Because there are many phishing methods, there are many
located. The controls provide protection against natural haz- defense methods as well. Illustrative examples are provided
ards, criminal attacks, and some human error. by Symantec (2009) and the FTC Consumer Information at
Network access control software is offered by all major secu- consumer.ftc.gov/articles/0003-phishing. For risk and fraud
rity vendors (e.g., see symantec.com/endpoint-protection). insights, see sas.com/en_us/insights/risk-fraud.html.
Sending spam that includes a sales pitch and looks like per- Protecting Against Spyware
sonal, legitimate e-mail and may bypass filters is a violation of
the U.S. Controlling the Assault of Non-Solicited Pornography In response to the emergence of spyware, a large variety of
and Marketing (CAN-SPAM) Act of 2003. However, many antispyware software exists. Antispyware laws, available in
spammers hide their identity by using hijacked PCs or spam many jurisdictions, usually target any malicious software
zombies to avoid detection and identification. For protecting that is installed without the knowledge of users. The
your system against botnet attacks, which also spread a huge U.S. Federal Trade Commission advises consumers about
volume. spyware infections. For details and resources, see ftc.gov/
news-events/media-resources/identity-theft-and-data-
Protecting Your Computer from Pop-Up Ads security/spyware-and-malware.
The use of pop-ups and similar advertising methods is grow- Protecting Against Cyberwars
ing rapidly. Sometimes it is even difficult to close these ads
when they appear on the screen. Some of these ads may be This is a difficult task since these attacks usually come from
part of a consumer’s permitted marketing agreement, but foreign countries. The U.S. government is developing tools
most are unsolicited. What can a user do about unsolicited that will mine social media sites to predict cyberattacks. The
pop-up ads? Here are some resources: tools will monitor all Facebook, Twitter, and other social net-
Panicware, Inc.’s Pop-Up Stopper Free Edition (pop-up- works sites to interpret content. The idea is to automate the
stopper-free-edition.software.informer.com), Softonic’s Pop process.
up Blocker (pop-up-blocker.en.softonic.com/download), and
AdFender (adfender.com); others are available for a fee. For a
list, see snapfiles.com; and for a list of blocker software for Business Continuity and Disaster Recovery
Windows, see download.cnet.com/windows/popup-blocker-
software. Many ISPs and major browser makers (e.g., Google, Disasters may occur without warning. A prudent defense is
Microsoft, Yahoo!, Mozilla) offer tools to stop pop-ups. to have a business continuity plan, mainly consisting of a
disaster recovery plan. Such a plan describes the details of
Protecting Against Other Social Engineering Attacks the recovery process from major disasters such as loss of all
(or most) of the computing facilities or the data.
With the increasing number of social engineering attacks via
websites and in social networks comes the need for better xample: Hospital Paid Ransom after Malware Attack
E
protection. The open-source environment and the interactive Hollywood Presbyterian Medical Center paid a ransom of
nature of the technology also create risks. Thus, EC security $17,000 in Britain (so the) blackmailer-hacker cannot be
10.7 Consumer and Seller Protection from Online Fraud 319
identified (see Chapter 11 for bitcoins). The hacker encrypted Consumer (Buyer) Protection
the data that were not backed up. The hospital failed with its
disaster recovery plan, so there was no choice (per the hospi- Consumer protection is critical to the success of any com-
tal management), but paying the ransom. For details see merce, especially electronic ones, where transactions between
Jennings (2016). buyers and sellers are not face-to-face. The Federal Trade
Commission (FTC) enforces consumer protection laws in the
United States. The FTC provides a list of common online
SECTION 10.6 REVIEW QUESTIONS scams (see onguardonline.gov/articles/0002-common-online-
scams). In addition, the European Union and the United States
1. Define access control. are attempting to develop joint consumer protection policies.
2. What are the basic elements of an authentication system? For details, see the Trans Atlantic Consumer Dialogue website
3. Define biometric systems and list five of their methods. at tacd.org.
4. Define a symmetric (one-key) encryption.
5. List some of the disadvantages of the symmetric system. Representative Tips and Sources for Your Protection
6. What are the key components of PKI?
7. Describe the PKI process. A representative list follows:
8. How does a digital signature work?
9. Describe digital certification.
10. List the basic types of firewalls and briefly describe each. • Users should make sure that they enter the real web-
11. How does a VPN work and how does it benefit users? site of well-known companies, such as Walmart,
12. Briefly describe the major types of IDSs. Disney, and Amazon.com, by going directly to the
13. What are general controls? List the various types. site, rather than through a link.
14. How does one protect against spam? • Check any unfamiliar site for an address and tele-
15. How does one protect against pop-ups? phone and fax numbers. Call and quiz a salesperson
16. How does one protect against phishing, spyware, and about the company and the products.
malvertising? • Investigate sellers with the local chamber of com-
merce, Better Business Bureau (bbb.org), or TRUSTe
(truste.com).
• Investigate how secure the seller’s site is and how
10.7 C
ONSUMER AND SELLER well it is organized.
PROTECTION FROM ONLINE • Examine the money-back guarantees, warranties,
FRAUD and service agreements before making a purchase.
• Compare prices online with those in regular stores—
Internet fraud is a major problem in e-commerce and it is prices that are too low may be too good to be true.
growing rapidly. The fraud is mostly against consumers, but • Ask friends what they know about the websites. Find
there is some against sellers and merchants. Governments testimonials and endorsements (be careful, some
are especially eager to educate the public about the many may be biased).
types of fraud, which target senior citizens in particular. • Find out what remedy is available in case of a
General information on what are common frauds is provided dispute.
by agencies such as the FBI (see fbi.gov/scams-safety/ • Consult the National Consumers League Fraud
fraud/internet_fraud). The FBI also operates the Internet Center (fraud.org).
Crime Complaint Center, IC3 at ic3.gov. Internet fraud is • Check the resources available at consumerworld.
growing problem (about 25% of all consumers are victims). org.
The problem is growing due to the blending of social com- • Amazon.com provides comprehensive protection.
merce and e-commerce and the increased use of m-com- See payments.amazon.com/merchant.
merce (see Frenkel 2016). For an overview, see paypal.com/
c2/webapps/mpp/paypal-safety-and-security.
It is necessary to protect EC consumers, which the IC3
In addition to these tips, consumers and shoppers also
attempts to do, by informing the public about Internet scams
have rights on the Internet, as described in the following list
and by publishing public service announcements.
of sources:
320 10 E-Commerce Security and Fraud Issues and Protections
Evaluation by Consumers
A large number of sites include product and vendor evalua-
For specific tips on how to spot fake sites and products, tions offered by consumers. For example, on Yelp!, commu-
see Horowitz and Horowitz (2015). nity members rate and comment on businesses.
Disclaimer: This is general information on consumer
rights. It is not legal advice on how any particular individual The Computer Fraud and Abuse Act (CFAA)
should proceed. If you require specific legal advice, consult
an attorney. The Computer Fraud and Abuse Act (CFAA), passed in
1984 and amended several times, is an important milestone
in EC legislation. Initially, the scope and intent of CFAA was
Third-Party Assurance Services
to protect government computers and financial industry com-
puters from criminal theft by outsiders. In 1986, the CFAA
Several public organizations and private companies also
was amended to include stiffer penalties for violations, but it
attempt to protect consumers. The following are just a few
still only protected computers used by the federal govern-
examples.
ment or financial institutions. As the Internet expanded in
scope, so did the CFAA.
Protection by a Third-Party Intermediary
Intermediaries who manage electronic markets try to protect
buyers and sellers. A good example is eBay, which provides Seller Protection
an extensive protection program (see eBay Money Back
Guarantee (pages.ebay.com/coverage/index.html) and a The Internet makes it easier for buyers and sellers engaging
Dispute Resolution Center). in EC to commit fraud. Sellers must be protected against:
TRUSTe’s “Trustmark”
TRUSTe (truste.com) is a for-profit company whose mis- • Customers who deny that they placed an order.
sion is to ensure that “businesses adhere to best practices • Customers who download copyrighted software and
regarding the collection and use of personal information on sell it to others.
their website” (see truste.com/about-TRUSTe). • Customers who give fraudulent payment informa-
The TRUSTe program is voluntary. The licensing fee for tion (false credit card or a bad check) for products
use of the Trustmark is paid by sellers, depending on the size and services that they buy.
of the online business.
10.7 Consumer and Seller Protection from Online Fraud 321
almost impossible for an applicant to impersonate another Senior Management Commitment and Support
person. Overall, trust in online transactions and in EC in
general would increase significantly. Authentication can be The success of an EC security strategy and program depends
achieved in several ways, including the use of biometrics. on the commitment and involvement of senior management.
Many forms of security are unpopular because they are
Fraud Detecting Systems inconvenient, restrictive, time-consuming, and expensive.
Security practices may not be a top organizational priority
There are a large number of fraud detection systems such as unless they are mandated.
the use of data mining for credit card fraud. CyberSource also Therefore, an EC security and privacy model for effective
has developed several tools for detecting fraud. For details, see enterprisewide security should begin with senior manage-
Cyber Source periodic reports and authorize.net/resources/ ment’s commitment and support, as shown in Figure 10.10.
files/fdswhitepaper.pdf. The model views EC security (as well as the broader IT secu-
rity) as a combination of commitment and support, policies
and training, procedures and enforcement, and tools, all exe-
SECTION 10.7 REVIEW QUESTIONS cuted as a continuous process.
There is a potential lack of cooperation from credit card issu- Mobile Security Issues
ers, suppliers, local and especially foreign ISPs, and other
business partners. If the source ISP would cooperate and sus- Typical security issues range from wireless transmissions not
pend the hacker’s access, it would be very difficult for hack- being encrypted, to lack of firewalls or passwords on mobile
ers to gain access to the systems. devices, or connecting to an unsecured WiFi network.
324 10 E-Commerce Security and Fraud Issues and Protections
Reisinger (2014) lists additional security issues such as policies and measures for EC sites need to address the
data theft and unlocked jailbreaking devices. The prolifera- insider threats. In addition, insiders can be victims of secu-
tion of BYOD also brings threat to the enterprise (see rity crimes. Therefore, companies should educate employ-
Westervelt 2013). ees, especially new hires, about such threats.
3 . What is the key to establishing strong e-commerce
The Defense security? Most discussions about security focus on tech-
nology, with statements like, “all messages should be
To defend mobile systems it is necessary to implement tools encrypted.” Although technologies are important, no secu-
and procedures such as those described in Section 10.6, and rity solution is useful unless it is adopted by the employ-
modify them for the mobile environment. A practical check- ees. Determining business requirements is the first step in
list for reducing security risks is offered by Lenovo (2013). creating a security solution. Business requirements, in
Finally, a major problem is the theft of mobile devices. Two turn, determine information requirements.
solutions are at work: First, automatic security that enables
only the owners to use their devices and, second, make a kill
switch a mandatory feature in all smartphones (scheduled SUMMARY
for 2015). In 2016, this feature was still only available in
California. In this chapter, you learned about the following EC issues as
they relate to the chapter’s learning objectives.
SECTION 10.8 REVIEW QUESTIONS 1. The importance and scope of EC information secu-
rity. For EC to succeed, it must be secure. Unfortunately,
1. If senior management is not committed to EC security, this is not an easy task due to many unintentional and
how might that impact the e-business? intentional hazards. Security incidents and breaches
2. What is a benefit of using the risk exposure method for interrupt EC transactions and increase the cost of doing
EC security planning? business online. Internet design is vulnerable, and the
3. Why should every company implement an acceptable use temptation to commit computer crime is increasing with
policy? the increased applications and volume of EC. Criminals
4. Why is training required? are expanding operations, creating an underground
5. List the major reasons why it is difficult to stop computer economy of valuable information that was stolen. A
crimes. strategy is needed to handle the costly defense technol-
ogy and operation, which includes training, education,
project management, and the ability to enforce security
MANAGERIAL ISSUES policy. EC security will remain an evolving discipline
because threats are changing continuously. Therefore,
Some managerial issues related to this chapter are as e-business needs to adapt. An EC security strategy is
follows. needed to optimize EC security programs for efficiency
and effectiveness.
1. What steps should businesses follow in establishing a 2. Basic EC security issues. The security issue can be
security plan? Security management is an ongoing pro- viewed as a battleground between attackers and attacks
cess involving three phases: asset identification, risk and defenders and defense. There are many variations on
assessment, and implementation. By actively monitoring both sides and many possible collision scenarios. Owners
existing security policies and procedures, companies can of EC sites need to be concerned with multiple security
determine which of them are successful or unsuccessful issues: authentication, verifying the identity of the par-
and, in turn, which should be modified or eliminated. ticipants in a transaction; authorization, ensuring that a
However, it also is important to monitor changes in busi- person or process has access rights to particular systems
ness processes and business environments and adjust the or data; and auditing, being able to determine whether
plans accordingly. In this way, an organization can keep particular actions have been taken and by whom.
its security policies and measures up-to-date. 3. Threats, vulnerabilities, and technical attacks. EC
2. Should organizations be concerned with internal secu- sites are exposed to a wide range of attacks. Attacks may
rity threats? Except for malware, breaches committed by be nontechnical (social engineering), in which a crimi-
insiders may be much more frequent than those done by nal lures people into revealing sensitive personal infor-
outsiders. This is true for both B2C and B2B sites. Security mation. Alternatively, attacks may be technical, whereby
Summary 325
software and systems expertise are used to attack net- 8. Fraud on the Internet and how to protect consumers
works, databases, or programs. DoS attacks bring opera- and sellers against it. Protection is needed because
tions to a halt by sending a flood of data to target specific there is no face-to-face contact between buyers and sell-
computers and websites. Malicious code attacks include ers; there is a great possibility of fraud; there are insuf-
viruses, worms, Trojan horses, or some combination of ficient legal constraints; and new issues and scams
these. Over the past few years, new malware trends have appear constantly. Several organizations, private and
emerged, such as Blackhole and ZeroAccess (see Wang public, attempt to provide the protection needed to build
2013). The new trends include an increase in the speed the trust that is essential for the success of widespread
and volume of new attack methods; and the shorter time EC. Of note are electronic contracts (including digital
between the discovery of a vulnerability and the release signatures), the control of gambling, and what taxes
of an attack (to exploit the vulnerability). Finally, the should be paid to whom on interstate, intrastate, and
new trends include the growing use of bots to launch international transactions. The practice of no sales tax
attacks; an increase in attacks on mobile systems, social on the Internet is changing. States are starting to collect
networks, and Web applications; and a shift to profit- sales tax on Internet transactions.
motivated attacks. Many procedures are used to protect consumers. In
4. Internet fraud, phishing, and spam. A large variety of addition to legislation, the FTC tries to educate consum-
Internet crimes exist. Notable are identify theft and mis- ers so they know the major scams. The use of seals on
use, stock market frauds, get-rich-quick scams, and sites (such as TRUSTe) can help, as well as tips and
phishing. Phishing attempts to obtain valuable informa- measures taken by vendors. Sellers can be cheated by
tion from people by masquerading as a trustworthy buyers, by other sellers, or by criminals. Protective mea-
entity. Personal information is extracted from people (or sures include using contacts and encryption (PKI) keep-
stolen) and sold to criminals, who use it to commit ing databases of past criminals, sharing information
financial crimes such as transferring money to their own with other sellers, educating employees, and using arti-
accounts. A related area is the use of unsolicited adver- ficial intelligence software.
tising or sales via spam. Given the large number of ways to commit Internet
5. Information assurance. The information assurance model fraud, it is difficult to protect against all of them. Fraud
represents a process for managing the protection of data protection is done by companies, security vendors, govern-
and computer systems by ensuring their confidentiality, ment regulations, and perhaps most important, consumer
integrity, and availability. Confidentiality is the assurance education. Knowing the most common methods used by
of data privacy. Integrity is the assurance that data is accu- criminals is the first step of defense. Remember, most
rate or that a message has not been altered. Availability is criminals are very experienced. They are able to invest
the assurance that access to data, the website, or EC sys- in new and clever attack methods.
tems and applications is available, reliable, and restricted 9. Enterprisewide EC security. EC security procedures are
to authorized users whenever they need it. inconvenient, expensive, tedious, and never ending.
6. Securing EC access control and communications. In Implementing a defensive in-depth model that views EC
EC, issues of communication among trading partners security as a combination of commitment, people, pro-
are paramount. In many cases, EC partners do not know cesses, and technology is essential. An effective program
their counterparts, so they need secured communication starts with senior management’s commitment and budget-
and trust building. Trust starts with the authentication of ing support. This sets the tone that EC security is impor-
the parties involved in a transaction; that is, identifying tant to the organization. Other components are security
the parties in a transaction along with the actions they policies and training. Security procedures must be clearly
are authorized to perform. Authentication can be estab- defined. Positive incentives for compliance can help, and
lished with something one knows (e.g., a password), negative consequences need to be enforced for violations.
something one has (e.g., an entry card), or some physical The last stage is the deployment of hardware and soft-
characteristic (e.g., a fingerprint). Biometric systems can ware tools based on the policies and procedures defined
confirm a person’s identity. Fingerprint scanners, iris scan- by the management team.
ners, facial recognition, and voice recognition are exam- 10. Why is it so difficult to stop computer crimes? Respon-
ples of biometric systems. sibility or blame for cybercrimes can be placed on crimi-
7. The different controls and special defense mechanisms. nals, victimized people, and organizations. Online shoppers
The major controls are general (including physical, access fail to take necessary precautions to avoid becoming vic-
controls, biometrics, administrative controls, application tims. Security system designs and architectures are still
controls, and internal controls for security and compli- incredibly vulnerable. Organizations may fail to exercise
ance). Each type has several variations. due care in business or hiring and practices, opening the
326 10 E-Commerce Security and Fraud Issues and Protections
3. How are botnets, identity theft, DoS attacks, and website 10. Discuss the recent security trends pointed out by Lemos
hijackings perpetrated? Why are they so dangerous to (2016).
e-commerce? 11. Examine the identity theft and identity crime topics
4. Discuss some of the difficulties of eliminating online from the FBI site fbi.gov/about-us/investigate/cyber/
financial fraud. identity_theft. Report the highlights.
5. Enter zvetcobiometrics.com. Discuss the benefits of
these products over other biometrics.
6. Find information about the Zeus Trojan virus. Discuss
INTERNET EXERCISES
why it is so effective at stealing financial data. Why is it
so difficult to protect against this Trojan?
1. Your B2C site has been hacked with a new, innovative
7. Visit the National Vulnerability Database (nvd.nist.gov)
method. List two organizations where you would report
and review 5 recent CVE vulnerabilities. For each vul-
this incident so that they can alert other sites. How do
nerability list its published date, CVSS severity, impact
you do this and what type of information do you have to
type, and the operating system or software with the
provide?
vulnerability.
2. Determine the IP address of your computer by visiting at
8. Report on the status of using biometrics in mobile com-
least two websites that provide that feature. You can use
merce. (Start nxt-id.com.)
a search engine to locate websites or visit ip-adress.com
9. Find several definitions of “information warfare” and
or whatismyipaddress.com. What other information
discuss the major attributes of the definitions.
does the search reveal about your connections? Based on
10. What contribution does TRUSTe make to e-commerce?
this finding, how could a hacker use that information?
3. Conduct a Google search for “Institutional Identity
Theft.” Compare institutional identity theft with per-
OPICS FOR CLASS DISCUSSION
T sonal identity theft. How can a company protect itself
AND DEBATES against identity theft? Write a report.
4. The Symantec Annual Internet Security Threat Report
1. A business wants to share its customer data with a trad-
provides details about the trends in attacks and vulnera-
ing partner and provide its business customers with
bilities in Internet security. Obtain a copy of the latest
access to marketing data. What types of security compo-
report and summarize the major findings of the report
nents (e.g., firewalls, VPNs) could be used to ensure that
for both attacks and vulnerabilities.
the partners and customers have access to the account
5. Conduct a Google search for examples of underground
information while those who are unauthorized do not?
Internet activities in 5 different countries. Prepare a
What types of network administrative procedures will
summary.
provide the appropriate security?
6. Enter verisign.com (a Symantec company) and find
2. Why is it so difficult to fight computer criminals? What
information about PKI and encryption. Write a report.
strategies can be implemented by financial institutions,
7. Enter hijackthis.com. What is offered in the site? Write
airlines, and other heavy users of EC?
a report.
3. All EC sites share common security threats and vulner-
8. Enter blackhat.com. Find out what the site is about.
abilities. Do you think that B2C websites face different
Describe some of the site’s activities.
threats and vulnerabilities than do B2B sites? Explain.
9. Enter ftc.gov and identify some of the typical types of
4. Why is phishing so difficult to control? What can be
fraud and scams on the Internet. List 10 of them.
done? Discuss.
10. Enter scambusters.org and identify and list its anti-
5. Debate this statement: “The best strategy is to invest very
fraud and anti-scam activities.
little and only in proven technologies such as encryption
and firewalls.”
6. Debate: Can the underground Internet marketplace be
controlled? Why or why not? TEAM ASSIGNMENTS AND PROJECTS
7. Debate: Is taking your fingerprints or other biometrics to
assure EC security a violation of your privacy? 1. Assignment for the Opening Case
8. Body scans at airports have created controversy. Debate Read the opening case and answer the following ques-
both points of this issue and relate it to EC security. tions:
9. Discuss the issue of providing credit card details on (a) Why did the college have security problems? What
Facebook. Would you do it? types of problems?
328 10 E-Commerce Security and Fraud Issues and Protections
(b) What is the security problem concerning social media user. The overseas user tries to convince the customer to
applications? wire funds, share bank account information, and open
(c) Why was the automation (agent-based) solution unsuc- joint accounts.
cessful? • Letters, postal service, or e-mail. A bank customer is
(d) Why were the computer-use policies ineffective? notified by an e-mail that he or she has won a large amount
(e) What was the problem with the bandwidth? of money (e.g., a sweepstakes). Hackers ask for some pro-
(f) Describe the new security policy. Why does it work? cessing money to release the prize money to the customer.
(g) Discuss the issue of privacy as it applies to this case. • Telephone scams. A customer is asked to provide per-
2. Assign teams to report on the latest major spam and scam sonal information from a government check and receives
threats. Look at examples provided by ftc.gov, the latest repeated telephone calls, each asking for different per-
Symantec report on the State of Spam, and white papers sonal information (e.g., Social Security Number). Phone
from IBM, VeriSign, McAfee, and other security firms. scams usually target elderly customers and depend on the
3. Watch the video “Cyberattacks and Extortion” (13:55 min) social engineer’s ability to develop a rapport with the
at searchsecurity.techtarget.com/video/Cyberattacks- customer.
and-extortion. Answer the following questions: • Cell phone scams. A customer is told that his or her debit
(a) Why are there more extortions online today? How are card has been compromised and the customer is asked to
they accomplished? provide card details for replacement.
(b) What is involved in targeted e-mail attacks?
(c) What is an SQL injection attack? The bank now provides information about social engi-
4. Data leaks can be a major problem. Find some major neering schemes on its website (see bankwest-sd.com/etc.
defense methods. Check some major security vendors htm). Employees direct customers to the site and provide
(e.g., Symantec). Find white papers and Webinars on the information about fraudulent schemes when the customers
subject. Write a report. come into a branch. The bank also instituted an “Employee
5. Each team is assigned one method of fighting against online Rewards Program” (to be described later).
fraud. Each method should involve a different type of fraud It is critical to combat social engineering attempts in
(e.g., in banking). Identify suspicious e-mails, dealing with order to increase customer confidence in Internet security.
cookies in Web browsers, credit card protection, securing According to Kitten (2010), “the bank’s information security
wireless networks, installing anti-phishing protection for team regularly attend workshops and participate in forums
your browser with a phishing filter, and so forth. related to social engineering and other fraud schemes. The
information collected is immediately shared with the staff in
order to keep the entire bank team abreast of new and emerg-
LOSING CASE: HOW ONE BANK STOPPED
C ing fraud threats. All staff members also are required to com-
SCAMS, SPAMS, AND CYBERCRIMINALS plete online training in scheme detection that is designed by
the bank.”
Some say that as many as 90% of phishers are targeting Also according to Kitten (2010), the training program
financial institutions. Let us see how one bank is protecting includes:
its customers.
• Ability to identify phone scams, especially automated ones
(e.g., vishing attempts) that lure customers into divulging
BankWest of South Dakota (bankwest-sd.com) sensitive information.
• Ability to identify phishing e-mails and use caution when
As a privately owned entity, a bank can disregard short-term clicking on links or opening file attachments.
profit. Instead, a bank provides the utmost in customer care • Conduct monthly training and employee-oriented dem-
and employee educational programs. However, one problem onstrations on face-to-face personal social engineering
is challenging: the increasing number of incidents of social schemes.
engineering experienced by customers. A few examples of
scams that were noticed by the BankWest staff reported by Employee Rewards
Kitten (2010) are:
Employees who identify scams are rewarded with certifi-
• Sweetheart schemes. There may be long-term online cates and small monetary rewards; their manager is notified
relationship between a bank’s customer and an overseas and employees can take pride in the acknowledgement.
References 329
The Results Cluley, G. “Phishing and Diet Spam Attacks Hit Twitter Users.” Cluley
Associates Limited, January 9, 2014. grahamcluley.com/2014/01/
phishing-diet-spam-attacks-hit-twitter-users (accessed April 2016).
According to the bank’s information security administrator, Constantin, L. “Identity Thieves Obtain 100,000 Electronic Filing PINs
although the number of schemes has not decreased, the num- from IRS System.” IDG News Service, February 10, 2016.
ber of employees reporting such schemes has increased CyberSource. 14th Annual 2013 Online Fraud Report, CyberSource
significantly. Corporation (2013).
Dawn Ontario. “Virus Information: Guide to Computer Viruses.” n.d.
To read BankWest’s tips on how to protect yourself Dog Breed Info Center. “Examples of Scam E-Mails.” n.d. dogbreed-
against identity theft, phishing, and so forth, see bankwest- info.com/internetfraud/scamemailexamples.htm (accessed April
sd.com/etc.htm. 2016).
Sources: Based on Kitten (2010) and BankWest (2016). EMC/RSA. “2013 A Year in Review.” Report # JAN RPT 0114, January
2014. emc.com/collateral/fraud-report/rsa-online-fraud-report-
012014.pdf (accessed April 2016).
Questions Fink, E. “Google Glass Wearers Can Steal Your Password.” CNN News,
1. List the major security problems faced by BankWest and July7,2014.money.cnn.com/2014/07/07/technology/security/google-
glass-password-hack (accessed May 2016).
relate them to the attack methods described in Sections Finkle, J. “‘Pony’ Botnet Steals Bitcoins, Digital Currencies:
10.2, 10.3, and 10.4. Trustwave.” Reuters.com US Edition, February 24, 2014. reuters.
2. In what ways is BankWest helping to stop scams before com/article/2014/02/24/us-bitcoin-security-i dUSBREA1N1
they cause damage? JO20140224 (accessed April 2016).
Forrest, C. “Phishing Gets More Dangerous: New Report Analyzes the
3. Given the problems of BankWest and its solutions, can Weapons of Choice.” TechRepublic, January 27, 2016.
you suggest an even better defense mechanism? Frenkel, K. A. “2016 Has the Markings of a Perfect Storm for Fraud.”
CIO Insight, January 28, 2016.
Goldman, D. “Hacker Hits on U.S. Power and Nuclear Targets Spiked
in 2012.” January 9, 2013. money.cnn.com/2013/01/09/technol-
ONLINE FILES ogy/security/infrastructure-cyberattacks (accessed April 2016).
Goldman, J. “Data Breach Roundup: January 2014.” February 14,
Available at ecommerce-introduction-textbook.com 2014a.esecurityplanet.com/network-security/data-breach-roundup-
january-2014.html (accessed April 2016).
W10.1 Application Case: How Seattle’s Hospital Survived a Goldman, D. “Take Down Any Website for $3.” CNN News, December
Bot Attack. 31, 2014b. money.cnn.com/2014/12/31/technology/lizard-squad-
attack (accessed April 2016).
Goodchild, J. “Policy-Based Security and Access Control.” April 5,
2011. csoonline.com/article/2128022/mobile-security/case-stud-
References -olicy-based-security-and-access-control.html (accessed April
2016).
Alto, P. “Infographic: The Real Cost of Cyberattacks.” Enterprise Goodman, M. Future Crimes: Inside the Digital Underground and the
Innovation, March 21, 2016. Battle for our Connected World. New York: Anchor Reprint, 2016.
Andress, J. The Basics of Information Security, Second Edition: Greengard, S. “Breaches of Health Care Data: A Growing Epidemic.”
Understanding the Fundamentals of InfoSec in Theory and Practice. Baseline, February 12, 2016.
Rockham, MA: Syngress Pub., 2014. Harrison, V., and J. Pagliery. “Nearly 1 Million New Malware Threats
Apps, P., and J. Finkle. “Suspected Russian Spyware Turla Targets Released Everyday.” CNN News, April 14, 2015.
Europe, United States.” Reuters.com U.S. Edition, March 7, 2014. Harwood, M. Internet Security: How to Defend Against Attackers on
reuters.com/article/2014/03/07/us-russia-cyberespionage- the Web (Jones & Bartlett Learning Information Systems Security &
insight-idUSBREA260YI20140307 (accessed April 2016). Assurance), 2nd edition. Burlington, MA: John Bartlett Learning,
BankWest. “About Us.” bankwest-sd.com/about.htm (accessed April 2015.
2016). Hinckley, S. “Pay by Selfie? Amazon Says Your Portrait Can Protect
Bort, J. “For the First Time, Hackers Have Used a Refrigerator to Attack Online Purchases.” CSMonitor, March 15, 2016.
Businesses.” Business Insider, January 16, 2014. Horowitz, D., and A. Horowitz. “Online Merchandise Scams Target
Cannell, J. “Cryptolocker Ransomware: What You Need to Know.” Students.” The Costco Connection, December 2015.
October 8, 2013. blog.malwarebytes.org/intelligence/2013/10/ Jennings, R. “This Hollywood Hospital Didn’t Backup Its Data?
cryptolocker-ransom (accessed April 2016). “Ransomware” Payday for Evil Hackers.” Computerworld, February
Casti, T. “Phishing Scam Targeting Netflix May Trick You With Phony 18, 2016.
Customer Service Reps.” The Huffington Post Tech, March 3, 2014a. John, A. Internet Security. Publisher: Self-Publishing, 2016.
huffingtonpost.com/2014/03/03/netflix-phishing-scam- Jones, M. “Facebook Tests Tool that Identifies Fake Accounts.” Value
customer-support_n_4892048.html (accessed April 2016). Walk, March 24, 2016.
Casti, T. “Scammers are Targeting Netflix Users Again, Preying on Kaiser, T. “Hackers Use Refrigerator, Other Devices to Send 750,000
the Most Trusting among Us.” The Huffington Post Tech, April 17, Spam Emails.” January 17, 2014. dailytech.com/Hackers+Use+Re
2014b. huffingtonpost.com/2014/04/17/netflix-comcast-phishing- frigerator+Other+Devices+to+Send+750000+Spam+Emails+/
_n_5161680.html (accessed April 2016). article34161.htm (accessed April 2016).
Cloud, J. Internet Security: Online Protection from Computer Hacking. Kan, M. “Alibaba Uses Facial Recognition Tech for Online Payments.”
North Charleston, USA: CreateSpace Publishing Platform, 2015. Computer World, March 16, 2015.
330 10 E-Commerce Security and Fraud Issues and Protections
Katz, O. “Analyzing a Malicious Botnet Attack Campaign through the Scott, W. Information Security 249 Success Secrets- 249 Most Asked
Security Big Data Prism.” January 6, 2014. blogs.akamai. Questions on Information Security- What You Need to Know.
com/2014/01/analyzing-a-malicious-botnet-attack-campaign- Brisbane, Queensland, Australia: Emereo Publishing, 2014.
through-the-security-big-data-prism.html (accessed April 2016). Singer, P. W., and A. Friedman. Cybersecurity and Cyberwar: What
Kavilanz, P. “Cyberattacks Devastated My Business!” (Last updated Everyone Needs to Know. 1st Edition, New York: Oxford University
May 28, 2013). money.cnn.com/gallery/smallbusiness/2013/05/28/ Press, 2014.
cybercrime/index.html?iid=Lead (accessed April 2016). Smith, C. “It Turns Out Target Could Have Easily Prevented Its Massive
Kitten, T. “Case Study: How to Stop Scams.” July 14, 2010. bankinfos- Security Breach.” March 13, 2014. bgr.com/2014/03/13/target-
ecurity.com/case-study-how-to-stop-scams-a-2748 (accessed data-hack-how-it-happened (accessed April 2016).
April 2016). Smith, R. Elementary Information Security, 2nd edition. Burlington,
Kravets, D. “How China’s Army Hacked America.” May 19, 2014 MA: Jones Bartlett, 2015.
arstechnica.com/tech-policy/2014/05/how-chinas-army-hacked- SUNY College at Old Westbury. “Website Privacy Policy Statement.”
american-companies (accessed June 2014). 2014. oldwestbury.edu/policies/website-privacy-policy-statement
Lawinski, J. “Security Slideshow: Malicious Attacks Skyrocket as (accessed May 2016).
Hackers Explore New Targets.” CIO Insight, May 7, 2012. Swann, C. T. Marlins Cry a Phishing Story. Spokane, WA: Cutting
Lemos, R. “Phishing Attacks Continue to Sneak Past Defenses.” eWeek, Edge Communications, Inc., 2012.
February 11, 2016. Symantec. “Infographic: The State of Financial Trojans 2013.” Updated
Lenovo. “Lenovo Recommends 15 Steps to Reducing Security Risks in January 8, 2014. symantec.com/connect/blogs/state-financial-
Enterprise Mobility.” White Paper, August 2013. Available for trojans-2013 (accessed April 2016).
download in.pdf format at techrepublic.com/resource-library/ Symantec. “Web-Based Attacks.” White paper, #20016955, February
whitepapers/lenovo-recommends-15-steps-to-reducing- 2009. symantec.com/content/en/us/enterprise/media/security_
security-risks-in-enterprise-mobility/post (accessed April 2016). response/whitepapers/web_based_attacks_02-2009.pdf
Maxwell, D. Hacking: Bootcamp—How to Hack Computers, Basic (accessed April 2016).
Security and Penetration Testing (Hacking The Common Core). TechRepublic Staff. “The 15 Most Frightening Data Breaches.”
[Kindle Edition] Seattle, WA: Amazon Digital Services, 2016. TechRepublic, October 29, 2015.
Nakashima, E., and M. Zapotosky. “U.S. Charges Iran-Linked Hackers Teo, F. “Monitoring Your Internal Network with Intelligent Firewalls.”
with Targeting Banks, N.Y. Dam.” The Washington Post, March 24, Enterprise Innovation, January 18, 2016.
2016. Timberg, C. “Foreign Regimes Use Spyware against Journalists, Even
Pagliery, J. “Drug Site Silk Road Wiped Out by Bitcoin Glitch.” CNN in U.S.” February 12, 2014. washingtonpost.com/business/tech-
Money, February 14, 2014a. money.cnn.com/2014/02/14/technol- nology/foreign-regimes-use-spyware-against-journalists-even-
ogy/security/silk-road-bitcoin (accessed April 2016). in-us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.
Pagliery, J. “Your Car Is a Giant Computer- and It Can Be Hacked.” html (accessed April 2016).
CNN Money, June 2, 2014b. Troinovski, A. “German Parliament Struggles to Purge Hackers from
Pontrioli, S. “Social Engineering, Hacking the Human OS.” December Computer Network.” The Wall Street Journal, June 12, 2015.
20, 2013. blog.kaspersky.com/social-engineering-hacking-the- Van Allen, F. “The 18 Scariest Computer Viruses of All Time.”
human-os (accessed April 2016). TechRepublic, January 22, 2016.
PWC. “Key Findings from the 2013 US State of Cybercrime Survey.” Victor, D. “Authorities Shut Down Darkode, a Marketplace for Stolen
June 2013. pwc.com/en_US/us/increasing-it-effectiveness/publi- Personal Data.” New York Times, July 15, 2015.
cations/assets/us-state-of-cybercrime.pdf (accessed April 2016). Wagstaff, K. “Why Is the U.S. Going After Chinese Hackers? Jobs?”
Reisinger, D. “10 Mobile Security Issues that Should Worry You.” NBC News, May 19, 2014.
eWeek, February 11, 2014. Wang, R. “Malware B-Z: Inside the Threat from Blackhole to Zero
Reuters. “Malware Suspected in Bangladesh Bank Heist.” Fortune.com, Access.” A Sophos White Paper, Sophos Ltd., January 2013.
March 12, 2016. fortune.com/2016/03/12/malware-bangladesh- sophos.com/en-us/medialibrary/Gated%20Assets/white%20
bank-heist (accessed April 2016). papers/sophos_from_blackhole_to_zeroaccess_wpna.pdf
Russell, K. “Here’s How to Protect Yourself from the Massive Security (accessed April 2016).
Flaw That’s Taken over the Internet.” Business Insider, April 8, 2014. Westervelt, R. “Top 10 BYOD Risks Facing the Enterprise.” July 26,
Schwartz, M. J. “Target Breach: Phishing Attack Implicated.” 2013. crn.com/slide-shows/security/240157796/top-10-byod-risks-
Information Week Dark Reading, February 13, 2014. darkreading. facing-the-enterprise.htm (accessed April 2016).
com/attacks-and-breaches/target-breach-phishing-attack- Winton, R. “Hollywood Hospital Pays $17,000 in Bitcoin to Hackers:
implicated/d/d-id/1113829 (accessed April 2016). FBI Investigation.” Los Angeles Times, February 18, 2016.
Scott, J. Cybersecurity 101: What You Absolutely Must Know!- Volume Wollen, J. “10 Social Engineering Exploits Your Users Should Be
1: Learn to be Pwned, Thwart Spear Phishing and Zero Day Aware Of.” TechRepublic, January 27, 2016.
Exploits, Cloud Security Basics and Much More. [Kindle Edition] Yan, S. “Chinese Man Admits to Cyber Spying on Boeing and Other
Seattle, WA: Amazon Digital Services, 2016a. U.S. Firms.” Money CNN News, March 24, 2016.
Scott, J. Cybersecurity 101: What You Absolutely Must Know!- Volume Yadron, D. “Newest Hacker Target: Ads.” The Wall Street Journal
2: Learn JavaScript Threat Basics, USB Attacks, Easy Steps to Tech, January 31, 2014. online.wsj.com/news/articles/SB1000142
Strong Cybersecurity, Defense Against Cookie Vulnerabilities, and 4052702303743604579350654103483462 (accessed April 2016).
Much More! [Kindle Edition] Seattle, WA: Amazon Digital
Services, 2016b.