Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

E-Commerce Security and Fraud Issues and Protections: Learning Objectives

Download as pdf or txt
Download as pdf or txt
You are on page 1of 38

E-Commerce Security and Fraud Issues

and Protections 10

Contents Learning Objectives


 pening Case: How State University of New York
O
College at Old Westbury Controls Its Internet Use................... 293 Upon completion of this chapter, you will be able to:
1. Understand the importance and scope of security of infor-
10.1 The Information Security Problem.................................. 294
mation systems for EC.
10.2 Basic E-Commerce Security Issues and Landscape....... 299 2. Describe the major concepts and terminology of EC
10.3 Technical Malware Attack Methods: security.
From Viruses to Denial of Service.................................... 303 3. Understand about the major EC security threats, vulner-
10.4 Nontechnical Methods: From Phishing to Spam abilities, and technical attacks.
and Fraud........................................................................... 307 4. Understand Internet fraud, phishing, and spam.
10.5 The Information Assurance Model 5. Describe the information assurance security principles.
and Defense Strategy......................................................... 312 6. Describe the major technologies for protection of EC
10.6 Defending Information Systems and E-Commerce........ 314 networks, including access control.
7. Describe various types of controls and special defense
10.7 Consumer and Seller Protection from Online Fraud...... 319
mechanisms.
10.8 Implementing Enterprisewide E-Commerce Security.... 322 8. Describe consumer and seller protection from fraud.
Managerial Issues.......................................................................... 324 9. Discuss enterprisewide implementation issues for EC
 losing Case: How One Bank Stopped Scams, Spams,
C security.
and Cybercriminals...................................................................... 328 10. Understand why it is so difficult to stop computer crimes.
11. Discuss the future of EC.
References...................................................................................... 329

 PENING CASE: HOW STATE UNIVERSITY


O
OF NEW YORK COLLEGE AT OLD WESTBURY
CONTROLS ITS INTERNET USE

The State University of New York (SUNY) College at Old


Westbury (oldwestbury.edu) is a relatively small U.S. uni-
versity located in Long Island, New York. The college has
3300 students and 122 full-time faculty. Internet access is
essential for both faculty and students.

The Problem

The College does not regulate the types of devices people


Electronic supplementary material: The online version of this chapter
(doi:10.1007/978-3-319-50091-1_10) contains supplementary material, use in its network, such as laptops, tablets, and smartphones,
which is available to authorized users. nor the purposes for which the devices are used. Thus, ­students,

© Springer International Publishing AG 2017 293


E. Turban et al., Introduction to Electronic Commerce and Social Commerce,
Springer Texts in Business and Economics, DOI 10.1007/978-3-319-50091-1_10
294 10  E-Commerce Security and Fraud Issues and Protections

faculty, and networks are vulnerable to a variety of security The users are contacted via e-mail and alerted to the prob-
issues, many of which originate from social media websites lem. The system may even block the user’s access. In such an
such as Facebook and YouTube. The College encourages the event, the user can go to the student computer lab for prob-
use of social media as a collaborative, sharing, and learning lem resolution.
environment. Bandwidth is controlled only when classes are in session.
Social media is also a leading target for malware writers. Sources: Based on Goodchild (2011), SUNY (2014), and
With the large number of downloads, social media has oldwestbury.edu (accessed April 2016).
become an ideal place for cybercriminals to insert viruses and
hack into systems. Phishers use social engineering techniques
to deceive users into clicking on, or downloading malware. LESSONS LEARNED FROM THE CASE
Because of the various devices used by the students and
faculty, the College’s attempts to manage network security This case demonstrates two problems: possible mal-
were unsuccessful. Specifically, the attempt to use intelligent ware attacks and insufficient bandwidth. Both problems
agents (which some students objected to having on their can reduce the effectiveness of SUNY’s computerized
computers) as guards failed. system, interfering with students’ learning and faculty
The College had computer-use policies in place, but these teaching and research. The solution, in which the uni-
were established in the past for older computing environ- versity can monitor when users are on the university
ments. Since the old policies were not effective, the univer- network, look for any unusual activity, and take appro-
sity decided to rewrite its old usage policy to meet the needs priate action if needed, demonstrates one of the defense
of current technology. mechanisms used by an organization. The new polices
Bandwidth usage was a problem due to the extensive conflict with student privacy—a typical situation in
downloading of videos by faculty and students. The high security systems: the tighter the security, the less pri-
level usage for noneducational related activities sometimes vacy and flexibility people have. In this chapter, we
interfered with classroom or research needs. introduce the broad battlefield between attacks on infor-
mation systems and the defense of those systems. We
also present the issues of fraud in e-commerce and strat-
The Solution egies and policies available to organizations for deploy-
ing security measures.
All students, faculty, and staff received a user ID for com-
puter utilization. Next, a new usage policy was implemented.
This policy was communicated to all users and was enforced
by monitoring the usage for each ID, watching network traf-
fic, and performing behavioral analysis. 10.1 T
 HE INFORMATION SECURITY
The policy covered all users, all devices, and all types of PROBLEM
usage, including mobile devices and the Internet. According
to SUNY College at Old Westbury (2014), the policy states Information security refers to a variety of activities and
that users should not expect full privacy when it comes to methods that protect information systems, data, and proce-
their e-mail messages or other online private information, dures from any action designed to destroy, modify, or degrade
including Internet usage records, and sets forth what infor- the systems and their operations. In this chapter, we provide
mation is collected by the university. Given that the IDs iden- an overview of the generic information security problems
tify the type of users (e.g., student or faculty), management and solutions as they relate to EC and IT. In this section, we
was able to set priorities in allocating bandwidth. look at the nature of the security problems, the magnitude of
Old Westbury is not alone in utilizing a policy to control the problems, and introduce some essential terminology of
Internet usage. Social Media Governance (socialmediagov- information security. For an overview, see John (2016) and
ernance.com) is a website that provides tools and instruc- Smith (2015).
tions regarding the control of computing resources where
social media is concerned.
What Is EC Security?

The Results Computer security in general refers to the protection of data,


networks, computer programs, computer power, and other
The modified system monitors performance and automati- elements of computerized information systems. It is a very
cally sends alerts to management when deviations from the broad field due to the many methods of attack as well as the
policy occur (e.g., excessive usage). Also, it conducts behav- many modes of defense. The attacks on and defenses for com-
ioral analysis and reports behavioral changes of users. puters can affect individuals, organizations, countries, or the
10.1  The Information Security Problem 295

Figure 10.1  Major EC security


Protecting
management concerns Generic viruses Fraud by
customer data
and malware buyers
and privacy

Spam, DoS,
Fraud by
Clogged
sellers
systems

Secured
Attacks on E-Commerce Attacking
social mobile devices,
networks systems

Social Business
engineering, continuity
Phishing (interrupting
EC)

Cross border Advance


espionage and defense
cyberwars systems

entire Web. Computer security aims to prevent, repair, or at


least minimize the attacks. • Cyber Security Preparedness and the National
Information security has been ranked consistently as one Cyber Alert System. Computer users can stay up-­
of the top management concerns in the United States and to-­date on cyberthreats through this program.
many other countries. Figure 10.1 illustrates the major topics • United States Computer Emergency Readiness
cited in various studies as being the most important in infor- Team (U.S.-CERT Operations). Provides informa-
mation security. tion about vulnerabilities and threats, proactively
manages cyber risks to the nation, and operates a
The Status of Computer Security in the United States database to provide technical descriptions of vulner-
abilities.
Several private and government organizations try to assess • National Cyber Response Coordination Group
the status of computer security in the United States annu- (NCRCG). Comprised of representatives from 13
ally. Notable is the annual CSI report, which is described federal agencies, it reviews threat assessments and
next. recommends actions to incidents, including alloca-
Comprehensive annual security surveys are published tion of federal resources.
periodically by IBM, Symantec, and other organizations. • CyberCop Portal. A portal designed for law enforce-
In addition to organizational security issues, there is also ment and government officials to use the Internet to
the issue of personal security. collaborate and share sensitive information with one
another in a secure environment.
Personal Security

Fraud on the Web is aimed mostly at individuals. In addition,


loose security may mean danger to personal safety due to sex According to Goldman (2013), hackers are increasingly
offenders who find their victims on the Internet. attacking the most critical infrastructures of the United States
(e.g., power, nuclear, and water facilities). In 2012, a group
National Security of unidentified hackers broke into the corporate systems of
some natural gas pipeline companies and stole data on how
Protection of U.S. computer networks is handled by the their control systems work. Goldman also states that accord-
Department of Homeland Security (DHS). It includes the ing to industry researchers, many companies choose not to
following programs: report cyberattacks.
296 10  E-Commerce Security and Fraud Issues and Protections

On February 17, 2013, President Obama issued an execu- Security Risks in Mobile Devices
tive order for combating cyberwars. This order gave “federal
agencies greater authority to share ‘cyber threat’ information The major mobile devices security concerns are loss of
with the public sector.” devices that include sensitive information (66%); mobile
devices infected by malware (60%); theft of data from the
Security Risks for 2014 and 2015 device (44%); users downloading malicious apps (33%);
identity theft and other user personal loss (30%).
The major security risks for the near future are:

Cyberwars and Cyberespionage Across Borders


• Cyberespionage and cyberwars (discussed below)
are growing threats. Using computers as a tool to attack information systems and
• Attacks are now also against mobile assets, including computers is growing rapidly and becoming more and more
on smartphones, tablets, and other mobile devices. dangerous.
Enterprise mobile devices are a particular target.
• Attacks on social networks and social software tools. Cyberwarfare
User-generated content is a major source of malware.
• Attacks on BYOD (“Bring Your Own Device”). According to the UN Crime and Justice Research Institute
• Identity theft is exploding, increasing the criminal (Unicri), Cyberwarfare or (Cyberwar) refers to any action
use of the stolen identities. by a nation, state, or international organization to pene-
• Profit motive—as long as cybercriminals can make trate another nation’s computer networks for the purpose
money, security threats and phishing attacks will of causing damage or disruption. However, broader defini-
continue to grow. tions claim that cyberwarfare also includes acts of “cyber-
• Social engineering tools such as phishing via e-mail hooliganism,” cybervandalism, or cyberterrorism. The
are growing rapidly. attack usually is done through viruses, DoS, or botnets.
• Cybergang consolidation—underground groups are
multiplying and getting bigger, especially in Internet • Cyberwarfare, which is an illegal activity in most coun-
fraud and cyberwars. tries, includes the following major threats: Online acts of
• Business-oriented spam (including image-based espionage and security breaches—which are done to
spam). obtain national material and information of a sensitive or
• Attacks using spyware tools (e.g., using Denial-of-­ classified nature through the exploitation of the Internet
Service method). (e.g., exploitation of network flaws through malicious
• Attacks on new technologies such as cloud comput- software).
ing, IoT, and virtualization. • Sabotage—the use of the Internet to disrupt online com-
• Attacks on Web and mobile applications (apps). munications with the intent to cause damage.
• Attacks on SCADA (Supervisory Control and Data Acqui­
sition) network and NCIs (National Computational Infras­
We cover all the major topics on the above list in the rest tructure). For example, in 2015, hackers attacked the
of this chapter. According to Lawinski (2012), the major German Parliament’s computer network (Troinovski 2015).
attacks on corporations are on executives (25%), shared
mailboxes (23%), and sales (12%). While most of the attacks For an overview, see Singer and Friedman (2014).
are against large enterprises (50%), hackers attack medium
(32%) and small companies (48%) as well. Additionally, Cyberespionage
93% of companies affected are in the health care or IT indus- Cyberespionage refers to unauthorized spying using a com-
tries. We assume the 2015–2016 data are similar. puter system. Espionage involves obtaining secrets without
For more information, see sans.org, baselinemag.com/ the permission of the holder of the information (individual,
security, enisa.europa.eu/activities/risk-management, and group, or organization). Cyberespionage is an illegal activity
the Information Systems Security Certification Consortium in most countries. For cyberspying on U.S. firms by the
(isc2.org). Chinese, see Yan (2016).
10.1  The Information Security Problem 297

Attacking Information Systems major physical damage to the nuclear program, delaying it
by months or possibly even years. The attack was perpe-
The GhostNet attack was not an isolated case of cross-border trated using a sophisticated computer worm named Stuxnet.
cyberattacks. The U.S. Congress is working on legislation to This is an example of a weapon created by a country to
protect the country from what some call the “Cyber Pearl achieve a goal that otherwise may have been achieved only
Harbor” attack or a digital 9/11. In May 2014, the U.S. gov- by physical weapons. In apparent retaliation, Iranians and
ernment named five military people in China as responsible pro-Palestinian hackers attacked El-Al (Israel’s national air-
for stealing data and spying on several thousand companies line) and the country’s stock exchange. Iran is believed to
in the United States stealing trade secrets (Kravets 2014). have been behind a November 2012 attack on U.S. banks.

Types of Attacks Example 2


A suspected cyberespionage network known as GhostNet
Cyberattacks can be classified into two major interrelated compromised computer systems in 103 countries, including
categories: computer systems belonging to the Dalai Lama’s exile net-
work, embassies, and foreign ministries. The attacks alleg-
1. Corporate espionage. Many attacks target energy-­related edly came from China. For more, see Wagstaff (2014).
companies because their inside information is valuable.
Almost half of all power plants and other infrastructures Example 3
surveyed have been infiltrated by “sophisticated adversar- One of the most complex cyberespionage incidents that has
ies,” with extortion being a common motive. Foreign ever occurred (2014) is the suspected Russian spyware Turla,
hackers targeted a water plant control system in Illinois, which was used to attack hundreds of government computers
causing the pump to fail. The attackers also gained unau- in the United States and Western Europe (see Apps and
thorized access to the system database. The attackers’ Finkle 2014).
Internet address used was tracked back to Russia. The above incidents illustrate the ineffectiveness of some
According to the Wall Street Journal of April 23, 2012, information security systems. For an overview of how cyber-
there were suspected cyberattacks against Iranian oil pro- warfare works, see forbes.com/sites/quora/2013/07/18/how-
duction and refineries. Cyberattackers hacked into 30,000 does-cyber-warfare-work.
of Saudi Aramco’s computers in 2012, and crippled the
national oil company’s networks, but failed to disrupt gas
or oil output. The Drivers of EC Security Problems
In 2011, cyber thieves (known as the “Rove group”)
based in Eastern Europe hijacked at least four million There are many drivers (and inhibitors) that can cause secu-
computers in more than 100 countries before they were rity problems to EC. Here, we describe several major ones:
caught. The attackers used malware and rerouted Internet the Internet’s vulnerable design, the shift to profit-induced
traffic illegally. The cyber thieves stole $14 million before crimes, the wireless revolution, the Internet underground
they were captured. The hackers also attacked U.S. gov- economy, the dynamic nature of EC systems, and the role of
ernment agencies and large corporations. insiders, and the sophistication of the attacks.
In 2013, Chinese hackers allegedly attacked the New
York Times’ computers to intimidate the American news The Internet’s Vulnerable Design
media into not reporting on China’s negative image and
the journalists’ sources of this information. The Internet and its network protocols were never intended
2. Political espionage and warfare. Political espionage to protect against cybercriminals. They were designed to
and cyberwars are increasing in magnitude. Sometimes, accommodate computer-based communications in a trusted
these are related to corporate espionage. In 2014, U.S. community. However, the Internet is now a global place for
hackers in Illinois used DDoS malware to attack the offi- communication, search, and trading. Furthermore, the
cial website of the Crimean referendum. A few days later, Internet was designed for maximum efficiency without
major Russian government Web resources and state media regard for security. Despite improvements, the Internet is
websites were also attacked by DDoS malware. still fundamentally insecure.

Example 1 The Spread of Computerized Medical Data


In December 2010, the Iranian nuclear program was attacked
via computer programs rumored to have been created by the With the requirements to computerize medical and health
United States and Israel. The attack was ­successful, causing care data came the danger of breaches, see Greengard (2016).
298 10  E-Commerce Security and Fraud Issues and Protections

The Shift to Profit-Induced Crimes The Globalization of the Attackers

There is a clear shift in the nature of the operation of com- Many countries have cyberattackers (e.g., China, Russia,
puter criminals. In the early days of e-commerce, many Nigeria, Iran, and India). For an example of Iranian attacks
hackers simply wanted to gain fame or notoriety by defacing on U.S. banks, see Nakashima and Zapotosky (2016).
websites. Online File W10.1 illustrates a case of a criminal
who did not attack systems to make a profit. There are many
more criminals today, and they are more sophisticated. Most The Darknet and the Underground Economy
popular is the theft of personal information such as credit
card numbers, bank accounts, Internet IDs, and passwords. The darknet can be viewed as a separate Internet that can be
According to Privacy Rights Clearinghouse (privacyrights. accessed via the regular Internet and a connection to the
org), millions of records containing personal information are TOR network (TOR is a network of VPNs that allows pri-
breached every year. Criminals today are even holding data vacy and security on the Internet). The darknet has restricted
for ransom and trying to extort payments from their victims. access to trusted people (“friends”) by using nonstandard
An illustrative CNN video (2:30 min) titled “Hackers Are protocols (IP addresses are not listed). Darknet allows anon-
Holding Data for Ransom” is available at money.cnn.com/ ymous surfing. The darknet’s contents are not accessible
video/technology/2012/10/08/t-ransomware-hackers. through Google or other search engines. The TOR technol-
cnnmoney. In 2016, a hospital was forced to pay a ransom ogy is used in file sharing (e.g., in the well-known Pirate
(with Bitcoins) to get back its data, which were not backed Bay). The darknet is often used for political dissent and con-
up (see Winton 2016). CryptoLocker is a new ransomware ducting illegal transactions, such as selling drugs and pirat-
Trojan used for such crimes (see usatoday.com/story/news/ ing intellectual property via file sharing. The latter activity is
nation/2014/05/14/ransom-ware-computer-dark-web- known as the Internet underground economy. In November
criminal/8843633). 2014, law enforcement authorities in Europe and the United
Lemos (2016) provides a slide show that illustrates the 2016 States shut down many of TOR websites. But it seems they
top secret trends that includes ransomware and cyberspying. have not cracked TOR encryptions yet. In 2015, the U.S.
Note that laptop computers, tablets, and smartphones are government shut down a market for stolen personal data
stolen for two reasons: selling them (e.g., to pawn shops, and called Darkode. See Victor (2015).
on eBay) and trying to find the owners’ personal information
(e.g., social security number, driver’s license details, and so The Internet Underground Economy
forth). In January 2014, a former Coca-Cola employee stole
laptops containing information on 74,000 individuals belong- The Internet underground economy refers to the e-markets
ing to current and past employees of the company. The com- for stolen information made up of thousands of websites that
pany did not have a data loss prevention program in place, sell credit card numbers, social security numbers, e-mail
nor were the laptops encrypted. addresses, bank account numbers, social network IDs, pass-
A major driver of data theft and other crimes is the ability words, and much more. Stolen data are sold to spammers or
to profit from the theft. Today, stolen data are sold on the criminals for less than a dollar a piece to several hundred dol-
black market, which is described next. lars each. The purchasers use them to send spam or conduct
illegal financial transactions such as transferring other peo-
Computers Everywhere ple’s money into their own accounts or paying the spammers’
credit card bills. It is estimated that about 30% of all the trans-
As described in Chapter 6, computers are everywhere, from actions in the underground market are made with stolen credit
your home to your work, in study places, entertainment areas cards. Symantec estimates the potential worth of just the
etc. Even your car can be hacked (see Pagliery 2014b). credit cards and banking information for sale is about a bil-
lion annually. Forty-one percent of the underground economy
 he Increased Volume of Wireless Activities
T is in the United States, while 13% is in Romania. For a dis-
and the Number of Mobile Devices cussion of the digital underground, see Goodman (2016).

Wireless networks are more difficult to protect than wireline. The Internet Silk Road
For example, many smartphones are equipped with near-­field
communication (NFC) chips, which are necessary for mobile This is one of the underground sites where hundreds of drug
payments. Additionally, BYOD (Chapter 6) may create secu- dealers and other “black market” merchants conduct their
rity problems. Hackers can exploit the features of smartphones business. In October 2013, law enforcement authorities in the
and related devices (e.g., Bluetooth) with relative ease. United States shut down the site and arrested its founder, who
10.2  Basic E-Commerce Security Issues and Landscape 299

was sentenced to more than 20 years in jail. However, shortly the average annualized cost of cybercrime per company sur-
thereafter, Silk Road was “resurrected” as Silk Road 2.0. veyed was $7.2 million per year, which is an increase of 30%
Transactions on Silk Road are paid only by bitcoins from the previous year’s global cyber cost study. Data breaches
(Chapter 11). In February 2014, hackers stole over 4400 bit- can be very costly to organizations. For how organizations can
coins that were held in escrow (between buyers and sellers); be devastated by cyberattacks, see Kavilanz (2013). For an
over $2.7 million value of bitcoins are gone forever (see infographic regarding the cost of cyberattacks, see Alto
Pagliery 2014a). The owner of the Silk Road site declared (2016).
bankruptcy. However, by May 2014 the site was back in
business.
SECTION 10.1  REVIEW QUESTIONS
Keystroke Logging in the Underground Economy
1 . Define computer security.
Keystroke logging (keylogging) is the process of using a 2. List the major findings of the CSI most recent survey.
device or software program that tracks and records the activity 3. Describe the vulnerable design of the Internet.
of a user in real time (without the user’s knowledge or con- 4. Describe some profit-induced computer crimes.
sent) by the keyboard keys they press. Since personal informa- 5. Describe the Internet underground economy and the dark-
tion such as passwords and user names are entered on a net.
keyboard, the keylogger can use the keystrokes to obtain them. 6. Describe the dynamic nature of EC systems.

The Explosion of Social Networking


10.2 B
 ASIC E-COMMERCE SECURITY
The huge growth of social networking and the proliferation ISSUES AND LANDSCAPE
of platforms and tools make it difficult to protect against
hackers. Social networks are easy targets for phishing and In order to understand security problems better, we need to
other social engineering attacks. understand some basic concepts in EC and IT security. We
begin with some basic terminology frequently related to
security issues.
 he Dynamic Nature of EC Systems
T
and the Acts of Insiders
Basic Security Terminology
EC systems are changing all the time due to a stream of inno-
vations. Security problems often accompany change. In In Section 10.1, we introduced some key concepts and secu-
recent years, we have experienced many security problems rity terms. We begin this section by introducing alphabetically
in the new areas of social networks and wireless systems the major terms needed to understand EC security issues:
(some will be explored later in this book). Note that insiders
(people who work for the attacked organizations) are respon- Business continuity plan: A plan that keeps the business
sible for almost half of the security problems. New employ- running after a disaster occurs. Each function in the business
ees are being added frequently to organizations, and they should have a valid recovery capability plan.
may bring security threats with them. Cybercrime: Intentional crimes carried out on the Internet.

The Sophistication of the Attacks Cybercriminal: A person who intentionally carries out crimes
over the Internet.
Cybercriminals are sharpening their weapons continuously, Exposure: The estimated cost, loss, or damage that can result
using technological innovations. In addition, criminals are if a threat exploits a vulnerability.
getting organized in very powerful groups, such as LulzSec
and Anonymous. Cybercriminals change their tactics because Fraud: Any business activity that uses deceitful practices or
of improved security (i.e., they are adapting quickly to a devices to deprive another of property or other rights.
changing environment). Malware (malicious software): A generic term for mali-
cious software.
The Cost of Cybercrime
Phishing: A fraudulent process of attempting to acquire sen-
sitive information by masquerading as a trustworthy entity.
It is not clear how much cybercrime costs. Many companies
do not disclose their losses. However, HP Enterprise Security’s Risk: The probability that a vulnerability will be known and
“2013 Cost of Cyber Crime Study: Global Report” found that used.
300 10  E-Commerce Security and Fraud Issues and Protections

Attacks Targets Defense

Computer
Attackers
Information Defenders and Methods
Methods
Systems

Software, Regulations,
Hardware, Policy,
Prevention, Strategy,
Intentional Hardware, Detection, Compliance,
criminals, Software, Deterrence Privacy,
Unintentional procedures, (punishments), Protenction,
natural disasters, E-Mail, Remote backup, Cost-benefit,
Malfunctions, Equipment, E-mail defense, Span protection,
Human errors Networks Business Spyware
continuity, protection,
Controls Vulnerability
assessment

People System,
Nontechnical
User,
defense
Defense

The Legal
Recovery System

Figure 10.2  The EC security battleground

Social engineering: A type of nontechnical attack that uses • The security defense, the defenders, and their methods and
some ruse to trick users into revealing information or per- strategy
forming an action that compromises a computer or network.
Spam: The electronic equivalent of junk mail. The Threats, Attacks, and Attackers
Vulnerability: Weakness in software or other mechanism
that threatens the confidentiality, integrity, or availability of Information systems, including EC, are vulnerable to both
an asset (recall the CIA model). It can be directly used by a unintentional and intentional threats.
hacker to gain access to a system or network.
Unintentional Threats
Zombie: Computers infected with malware that are under
the control of a spammer, hacker, or other criminal. Unintentional threats fall into three major categories: human
Definitions of these terms are provided at webopedia. error, environmental hazards, and malfunctions in the com-
com/TERM. puter system.

The EC Security Battleground Human Error


Human errors can occur in the design of the hardware,
The essence of EC security can be viewed as a battleground software, or information systems. It can also occur in
between attackers and defenders and the defenders’ security programming (e.g., forgetting to factor in leap year),
requirements. This battleground includes the following com- testing, data collection, data entry, authorization, system
ponents, as shown in Figure 10.2: operation, and instructions. Errors can occur because of
negligence, outdated security procedures or inadequate
• The attacks, the attackers, and their strategies employee training, or because passwords are not changed
• The assets that are being attacked (the targets) in vulner- or are shared with others.
able areas
10.2  Basic E-Commerce Security Issues and Landscape 301

U.S. Army and the Department of Energy). The danger is


Environmental Hazards that some companies may not take even minimal precautions
These include natural disasters and other environmental to protect their customer information if they can place the
conditions outside of human control (e.g., Acts of God, blame for the attacks on the cybercriminals.
large-scale acts of nature and accidents such as earth- Criminals use a variety of methods for the attacks. Some
quakes, severe storms, hurricanes, blizzards, or sand use computers as a weapon; some attack computing assets
storms), floods, power failures or strong fluctuations, depending on the targets. For a short history of hacking
fires (the most common hazard), explosions, radioactive (with an infographic) see i-programmer.info/news/149-­
fallout, and water-cooling system failures. Computer security/3972-a-short-history-of-hacking.html.
resources also can be damaged by side effects such as Hackers and crackers may recruit unsuspecting people,
smoke and water. including company insiders, to assist in their crimes. For
example, according to Malware Bytes Unpacked, a “money
mule” is a person who is local to the compromised account,
who can receive money transfers with a lesser chance of
Malfunctions in the Computer System alerting the banking authorities.
Defects can be the result of poor manufacturing, defec- “These money mules retrieve the funds and then transfer
tive materials, memory leaks, and outdated or poorly them to the cyber criminal.” Since the mules are used to trans-
maintained networks. Unintentional malfunctions can fer stolen money, they can face criminal charges and become
also happen for other causes, ranging from lack of user victims of identity theft. Notorious hacker Kevin Mitnick,
experience to inadequate testing. Another example is who served jail time for hacking, used social engineering as
Amazon’s Cloud (EC2), which hosts many major web- his primary method to gain access to computer systems.
sites (e.g., Reddit, Airbnb, Foursquare). In June and For ten tips to keeping your EC website protected against
October 2012, the cloud hosting service crashed due to hacking and fraud, see tweakyourbiz.com/technology/2014/
problems with the company’s data centers. The system 01/20/10-tips-to-protect-an-ecommerce-website-against-
also crashed in July 2012, taking down Netflix, hacking-and-fraud.
Foursquare, Dropbox, Instagram, and Pinterest due to
severe weather hitting the North Virginia data center. Example: The Bangladesh Bank
Some hackers installed malware in the Bangladesh Central
Bank computer systems that enable them to watch, for weeks,
Intentional Attacks and Crimes how funds are being withdrawn from the bank’s U.S. account.
The hackers then attempted to steal about $1 billion, but were
Intentional attacks are committed by cybercriminals. Types stopped after stealing $80 million from the Bangladesh at the
of intentional attacks include theft of data; inappropriate use Federal Bank of New York. For details see Reuters (2016).
of data (e.g., changing it or presenting it for fraudulent pur-
poses); theft of laptops and other devices and equipment and/
or computer programs to steal data; vandalism or sabotage The Targets of the Attacks in Vulnerable Areas
directed toward the computer or its information system;
damaging computer resources; losses from malware attacks; As seen in Figure 10.2, the targets can be people, computers,
creating and distributing viruses; and causing monetary or information systems. Fraud usually aims to steal money or
losses due to Internet fraud. Most of these are described in other assets such as real estate. Computers are also used to
Sections 10.3 and 10.4. harass people (e.g., cyberbullying), damage their reputation,
violate their privacy, and so forth.
The Criminals and Methods
Vulnerable Areas Are Being Attacked
Intentional crimes carried out using computers and the
Internet are called cybercrimes, which are done by cyber- Any part of an information system can be attacked. PCs, tab-
criminals (criminals for short), that includes hackers and lets, or smartphones can easily be stolen or attacked by viruses
crackers. A hacker describes someone who gains unauthor- and/or malware. Users can become victims of a variety of
ized access to a computer system. A cracker (also known as fraudulent actions. Databases can be attacked by unauthor-
a “black hat” hacker) is a malicious hacker with extensive ized intruders, and data are very vulnerable in many places in
computer experience who may be more damaging. Some a computerized system. For example, data can be copied,
hacker groups (such as the international group Anonymous) altered, or stolen. Networks can be attacked, and information
are considered unstoppable in penetrating organizations of flow can be stopped or altered. Computer terminals, printers,
all kinds (many U.S. government agencies, including the and any other pieces of equipment can be damaged in different
302 10  E-Commerce Security and Fraud Issues and Protections

ways. Software programs can be manipulated. Procedures and when it is on the Web. Online piracy occurs when illegal soft-
policies may be altered, and much more. Vulnerable areas are ware is downloaded from a peer-to-peer network. An exam-
frequently attacked. ple is the pirating of live sports events. At stake are millions
of dollars in lost revenue to sports leagues and media compa-
Vulnerability Information nies. These institutions are joining forces in lobbying for
stronger copyright legislation and by filing lawsuits against
A vulnerability is where an attacker finds a weakness in the violators. For facts and statistics about online piracy, see
system and then exploits that weakness. Vulnerability creates ­articles.latimes.com/2013/sep/17/business/la-fi-ct-piracy-
opportunities for attackers to damage information systems. bandwith-20130917.
MITRE Corporation publishes a dictionary of publicly known
security vulnerabilities called common vulnerabilities and
exposures (CVE) (cve.mitre.org). Exposure can result when EC Security Requirements
a cybercriminal exploits a vulnerability. See Microsoft’s guide
to threats and vulnerabilities at technet.microsoft.com/en-us/ Good security is a key success factor in EC.
library/dd159785.aspx. The following set of security requirements are used to
assure success and to minimize EC transaction risks:
Attacking E-Mail
One of the easiest places to attack is a user’s e-mail, since it
travels via the unsecured Internet.
• Authentication. Authentication is a process used
Attacking Smartphones and Wireless Systems to verify (assure) the real identity of an EC entity,
Since mobile devices are more vulnerable than wired sys- which could be an individual, software agent, com-
tems, attacking smartphones and tablets is becoming popular puter program, or EC website. For electronic mes-
due to the explosive growth of mobile computing. According sages, authentication verifies that the sender/receiver
to Fink (2014), hackers can steal your phone password wear- of the message is who the person or organization
ing digital glasses. claims to be. (The ability to detect the identity of a
person/entity with whom you are doing business.)
The Vulnerability of RFID Chips • Authorization. Authorization is the provision of
These chips are embedded everywhere, including in credit permission to an authenticated person to access sys-
cards and U.S. passports. Cards are designed to be read from tems and perform certain operations in those spe-
some distance (contactless), which also creates a vulnerability. cific systems.
When you carry a credit card in your wallet or pocket, anyone • Auditing. When a person or program accesses a
with an RFID reader that gets close enough to you may be able website or queries a database, various pieces of
to read the RFID information on your card. For a presentation, information are recorded or logged into a file. The
watch the video “How to Hack RFID-Enabled Credit Cards process of maintaining or revisiting the sequence of
for $8 (BBtv)” at youtube.com/watch?v=vmajlKJlT3U. events during the transaction, when, and by whom,
is known as auditing.
The Vulnerabilities in Business IT and EC Systems • Availability. Assuring that systems and information
are available to the user when needed and that the
Vulnerabilities can be of technical nature (e.g., unencrypted site continues to function. Appropriate hardware,
communications; insufficient use of security programs and software, and procedures ensure availability.
firewalls) or they can possess organizational weaknesses (e.g., • Nonrepudiation. Closely associated with authenti-
lack of user training and security awareness, and an insider cation is nonrepudiation, which is the assurance
who steals data and engages in inappropriate use of business that online customers or trading partners will not be
computers). able to falsely deny (repudiate) their purchase,
transaction, sale, or other obligation. Nonrepudiation
 irated Videos, Music, and Other
P involves several assurances, including providing
Copyrighted Material proof of delivery from the sender and proof of
sender and recipient identities and the identity of
It is relatively easy to illegally download, copy, or distribute the delivery company.
music, videos, books, software, and other intellectual p­ roperty
10.3  Technical Malware Attack Methods: From Viruses to Denial of Service 303

Authentication and nonrepudiation are potential defenses hackers and help the defense. Unfortunately, in many cases
against phishing and identity theft. To protect and ensure the punishment is too light to deter the cybercriminals.
trust in EC transactions, digital signatures, or digital certifi-
cates, are often added to validate the senders and the times of Defense Methods and Technologies
the transactions so buyers are not able to deny that they
authorized a transaction or that it never occurred. There are hundreds of security defense methods, technolo-
gies, and vendors and these can be classified in different ways
so their analyses and selection may be difficult. We introduce
 he Defense: Defenders, Strategy,
T only some of them later in this chapter.
and Methods
Recovery
Everybody should be concerned about security. However, in In security battles, there are winners and losers in each secu-
a company, the information systems department and security rity episode, but it is difficult to win the security war. There are
vendors provide the technical side, while management pro- many reasons for this. On the other hand, organizations and
vides the administrative aspects. Such activities are done via individuals usually recover after a security breach. Recovery
security and strategy procedures that users need to follow. is especially critical in cases of a disaster or a major attack,
and it must be speedy. Organizations need to continue their
EC Defense Programs and Strategy business until the information systems are fully restored, and
they need to restore them fast. This is accomplished by acti-
An EC security strategy consists of multiple layers of vating business continuity and disaster recovery plans.
defense that includes several methods. This defense aims to Because of the complexity of EC and network security,
deter, prevent, and detect unauthorized entry into an organi- comprehensive coverage requires an entire book, or even sev-
zation’s computer and information systems. Deterrent eral books. Here we cover only selected topics. Those readers
methods are countermeasures that make criminals abandon interested in a more comprehensive discussion should see the
their idea of attacking a specific system (e.g., a possible Pearson/Prentice Hall Security Series of security books and
deterrent is a realistic expectation of being caught and pun- also conduct a Google search.
ished). Prevention measures help stop unauthorized people
from accessing the EC system (e.g., by using authentication
devices and firewalls or by using intrusion prevention which SECTION 10.2  REVIEW QUESTIONS
is, according to TechTarget, “a preemptive approach to net-
work security used to identify potential threats and respond 1. List five major EC security terms.
to them swiftly”). Detection measures help find security 2. Describe the major unintentional security hazards.
breaches in computer systems. Usually this means to find out 3. List five examples of intentional EC security crimes.
whether intruders are attempting (or have attempted) to 4. Describe the security battleground, who participates,
break into the EC system, whether they were successful, and how. What are the possible results?
whether they are still damaging the system, and what dam- 5. Define hacker and cracker.
age they may have done. 6. List all security requirements and define authentication
and authorization requirements.
Information Assurance 7. What is nonrepudiation?
Making sure that a customer is safe and secure while shop- 8. Describe vulnerability and provide some examples of
ping online is a crucial part of improving the online buyer’s potential attacks.
experience. Information assurance (IA) is measures taken 9. Describe deterring, preventing, and detecting in EC secu-
to protect information systems and their processes against all rity systems.
risks. 10. What is a security strategy, and why it is needed?

Possible Punishment
10.3 T
 ECHNICAL MALWARE ATTACK
A part of the defense is to deter criminals by punishing them METHODS: FROM VIRUSES
heavily if they are caught. Judges now are giving more and TO DENIAL OF SERVICE
harsher punishments than a decade ago. For example, in
March 2010, a federal judge sentenced 28-year-old TJX There are many ways criminals attack information systems
hacker Albert Gonzalez to 20 years in prison for his role in and users. Here, we cover only major representative methods.
stealing millions of credit and debit card numbers and selling It is helpful to distinguish between two common types
them. Such severe sentences send a powerful message to of attacks—technical (which we discuss in this section)
304 10  E-Commerce Security and Fraud Issues and Protections

and nontechnical (or organizational), which we discuss in  alware (Malicious Code): Viruses, Worms,
M
Section 10.4. and Trojan Horses

Malware (or malicious software) is software code that,


 echnical and Nontechnical Attacks:
T when spread, is designed to infect, alter, damage, delete, or
An Overview replace data or an information system without the owner’s
knowledge or consent. Malware is a comprehensive term
Software and systems knowledge are used to perpetrate tech- that describes any malicious code or software (e.g., a virus
nical attacks. Insufficient use of antivirus and personal fire- is a “subset” of malware). Malware attacks are the most
walls and unencrypted communication are the major reasons frequent security breaches. Computer systems infected by
for technical vulnerabilities. malware take orders from the criminals and do things such
Organizational attacks are those where the security of a as send spam or steal the user’s stored passwords.
network or the computer is compromised (e.g., lack of proper Malware includes computer viruses, worms, botnets,
security awareness training). We consider financial fraud, Trojan horses, phishing tools, spyware tools, and other mali-
spam, social engineering, which includes phishing, and other cious and unwanted software. According to Harrison and
fraud methods as nontechnical. The goals of social engineer- Pagliery (2015), nearly one million new malware threats are
ing are to gain unauthorized access to systems or information released every day.
by persuading unsuspecting people to disclose personal
information that is used by criminals to conduct fraud and Viruses
other crimes. The major nontechnical methods are described
in Section 10.4. A virus is programmed software inserted by criminals into a
computer to damage the system; running the infected host
program activates the virus. A virus has two basic capabili-
The Major Technical Attack Methods ties. First, it has a mechanism by which it spreads. Second, it
can carry out damaging activities once it is activated.
Hackers often use several software tools (which unfortunately Sometimes a particular event triggers the virus’s execution.
are readily and freely available over the Internet together with For instance, Michelangelo’s birth date triggered the infa-
tutorials on how to use them) in order to learn about vulnera- mous Michelangelo virus. On April 1, 2009, the entire world
bilities as well as attack procedures. The major technical was waiting for a virus named Conficker. In 2014, a virus by
attack methods are illustrated in Figure 10.3 and are briefly the name of “Pony” infected hundreds of thousands of com-
described next. Note that there are many other methods such puters to steal bitcoins and other currencies (see Finkle 2014).
as “Mass SQL Injection” attacks that can be very damaging. Finally, Finkle reports that a virus named Agent BTZ attacked
over 400,000 computers in Russia, the United States, and
Europe. This big attack was not successful, but viruses con-
tinue to spread all the time. For how computer viruses work,
see computer.howstuffworks.com/virus.htm.
Web-based malware is very popular today. Virus attacks
are the most frequent computer attacks. The process of a
Malware (Virus, Worm, Trojan)
virus attack is illustrated in Figure 10.4.
Unauthorized Access
Viruses are dangerous, especially for small companies. In
2013, the CryptoLocker virus was used to blackmail compa-
Denial-of-Service Attacks nies after seizing their computer files and threatening to
erase their content.
Spam and Spyware For tutorials on, and information about, viruses, see Scott
(2014) and Dawn Ontario (n.d.). For the scariest viruses of
Hijacking (Servers, Pages)
2001–2015, see Van Allen (2016). Note that in Microsoft
tutorials, you will learn how to identify a computer virus,
Botnets
how to know if you are infected, and how to protect yourself
Figure 10.3  The major technical security attack methods (in descend- against viruses (see the Microsoft Safety and Security Center
ing order of importance) at microsoft.com/security/default.aspx).
10.3  Technical Malware Attack Methods: From Viruses to Denial of Service 305

Figure 10.4  How a computer


virus can spread

Worms code. Users are tricked into executing an infected file, where it
attacks the host, anywhere from inserting pop-up windows to
Unlike a virus, a worm can replicate itself automatically (as a damaging the host by deleting files, spreading malware, and so
“standalone”—without any host or human activation). Worms forth. The name is derived from the Trojan horse in Greek
use networks to propagate and infect a computer or handheld mythology. Legend has it that during the Trojan War, the city
device and can even spread via instant messages or e-mail. In of Troy was presented with a large wooden horse as a gift to
addition, unlike viruses that generally are confined within a the goddess Athena. The Trojans hauled the horse inside the
target computer, a worm can infect many devices in a network city gates. During the night, Greek soldiers who were hiding in
as well as degrade the network’s performance. According to the hollow horse opened the gates of Troy and let in the Greek
Cisco, “worms either exploit a vulnerability on the target sys- army. The army was able to take the city and win the war.
tem or use some kind of social engineering to trick users into Trojans spread only by user interaction (e.g., such as
executing them.” Because worms spread much more rapidly opening an under the guise of an e-mail allegedly sent by
than viruses, they may be more dangerous. Verizon), and there are many variants of Trojans (e.g., Zeus,
W32).
Macro Viruses and Microworms
A macro virus (macro worm) is a malware code that is Example 1: Trojan-Phisher-Rebery
attached to a data file rather than to an executable program In 2006, a variant of a Trojan horse program named Trojan-
(e.g., a Word file). According to Microsoft, macro viruses can Phisher-Rebery was used to steal tens of thousands of identities
attack Word files as well as any other application that uses a from people in 125 different countries. The Rebery malicious
programming language. When the document is opened or software is an example of a banking Trojan, which is pro-
closed, the virus can spread to other documents on the com- grammed to create damage when users visit certain online
puter’s system. For information about Word macro viruses, see banking or e-commerce sites. For an infographic describing the
Microsoft Support at support.microsoft.com/kb/187243/en. state of financial Trojans see Symantec (2014).
Computer programs that are very similar to viruses are worms
and Trojan horses. Example 2: The DDOS Attacks on WordPress
In March 2014, hackers used a botnet to attack more than
Trojan Horse 162,000 WordPress sites. Given that WordPress powers about
A Trojan horse is a program that seems to be harmless or 17% of the world’s blogging websites, any attack can be
even looks useful but actually contains a hidden malicious devastating.
306 10  E-Commerce Security and Fraud Issues and Protections

Some Security Bugs: Heartbleed and Crytolocker networks, especially Facebook and Twitter. An example of
such an attack is described in Online File W10.1.
Two dangerous computer bugs were discovered in 2013 and DoS attacks can be difficult to stop. Fortunately, the security
2014. community has developed tools for combating them. For com-
prehensive coverage, see us-cert.gov/ncas/tips/ST04-015.
Heartbleed Note: In 2014, a hacking group called Lizard Stresser
According to Russell (2014) “Heartbleed is a flaw in OpenSSL, offered to take down any website by employing DoS, for a
the open-source encryption standard used by the majority of fee of $3 (see Goldman 2014b).
websites that need to transmit the data that users want to keep
secure. It basically gives you a secure line when you’re send- Botnets
ing an e-mail or chatting on IM.”
The potential damage may be large. In theory, any data kept According to the Microsoft Safety and Security Center, a
in the active memory can be pulled out by the bug. Hackers botnet (also known as “zombie army”) is malicious software
can even steal encryption keys that enable them to read that criminals distribute to infect a large number of hijacked
encrypted messages. About 650 million websites may be Internet connected computers controlled by hackers. These
affected. The only advice provided by experts is to change the infected computers then form a “botnet,” causing the per-
online passwords. sonal computer to “perform unauthorized attacks over the
Internet” without the user’s knowledge. Unauthorized tasks
Cryptolocker include sending spam and e-mail messages, attacking comput-
Discovered in September 2013, Cryptolocker is a ransom- ers and servers, and committing other kinds of fraud, causing
ware Trojan bug. This malware can come from many sources the user’s computer to slow down (microsoft.com/security/
including e-mail attachments; can encrypt files on your com- resources/botnet-whatis.aspx).
puter, so that you cannot read these files. The malware owner Each attacking computer is considered computer robot. A
then offers to decrypt the data in exchange for a bitcoin or botnet made up of 75,000 systems infected, in 2010, with
similar untraceable payment system. Zeus Trojan contaminated computers. Botnets are used in
For information on what to do if you are being black- scams, spams, frauds, or just to damage systems (as in the
mailed and how to protect yourself see Cannell (2013). hospital case described in Online File W10.1). Botnets appear
in different forms and can include worms or viruses. Famous
Denial of Service botnets include Zeus, Srizbi, Pushdo/Cutwail, Torpig, and
Conficker.
According to Incapsula, Inc., a denial-of-service (DoS)
attack is “a malicious attempt to make a server or network Example: Rustock
resource unavailable to users, usually by temporarily inter- Rustock was a botnet made up of about one million hijacked
rupting or suspending the services of a host connected to the PCs, which evaded discovery for years. The botnet, which
Internet.” This causes the system to crash or become unable sent out up to 30 billion spam messages per day, placed
to respond in time, so the site becomes unavailable. One of “booby trapped” advertisements and links on websites vis-
the most popular types of DoS attacks occurs when a hacker ited by the victims. The spammers camouflaged the updates
“floods” the system by overloading the system with “useless to PCs to look like comments in discussion boards, which
traffic” so a user is prevented from accessing their e-mail, made them hard to find by security software. Microsoft was
websites, etc. one of the companies that helped shut down Rustock. In
Note: A DoS attack is a malicious attack caused by one 2013, Microsoft and the FBI “disrupted” over 1000 botnets
computer and one Internet connection as opposed to a DDos used to steal banking information and identities. Both
attack, which involves many devices and multiple Internet Microsoft and the FBI had been trying to take down the mal-
connections (to be discussed later). An attacker can also use ware “Citadel,” which affected millions of people located in
spam e-mail messages to launch a similar attack on your more than 90 countries. For an analysis of malicious botnet
e-mail account. A common method of launching DoS attacks attacks, see Katz (2014).
is by using zombie (hijacked) computers, which enable the
hijacked computer to be controlled remotely by a hacker Home Appliance “Botnet”
without the knowledge of the computer’s owner. The zombie The Internet of Things (IoT) can also be hacked. Since par-
computer (also known as a “botnet”) launches an over- ticipating home appliances have a connection to the Internet,
whelming number of requests toward an attacked website, they can become computers that can be hacked and con-
creating the DoS. For example, DoS attackers target social trolled. The first home attack, which involved television sets
10.4  Nontechnical Methods: From Phishing to Spam and Fraud 307

and at least one refrigerator, occurred between December 10.4 NONTECHNICAL METHODS:
2013 and January 2014, and was referred to as “the first FROM PHISHING TO SPAM
home appliance ‘botnet’ and the first cyberattack from the AND FRAUD
Internet of Things.” Hackers broke into more than 100,000
home appliances and used them to send over 750,000 mali- As discussed in Section 10.1, there has been a shift to profit-­
cious e-mails to enterprises and individuals worldwide (see related Internet crimes. These crimes are conducted with the
Bort 2014). help of both technical methods, such as malicious code that
can access confidential information that may be used to steal
Malvertising money from your online bank account, and nontechnical meth-
ods, such as social engineering.
According to Techopedia, malvertising is “a malicious form
of Internet advertising used to spread malware.” Malvertising
is accomplished by hiding malicious code within relatively Social Engineering and Fraud
safe online advertisements (see techopedia.com/definition/
4016/malvertising). Social engineering refers to a collection of methods where
Note that hackers are targeting ads at accelerating rates. criminals use human psychology to persuade or manipulate
For example, in 2013, Google disabled ads from over people into revealing their confidential information, or their
400,000 sites that were hiding malware (see Yadron 2014). A employment information so they can collect information
final word: If you get an e-mail that congratulates you on for illegal activities. The hacker may also attempt to get
winning a large amount of money and asks you to “Please access to the user’s computer in order to install malicious
view the attachment,” don’t! software that will give hackers control over the person’s
computer. The major social engineering attacks are phish-
ing (several submethods; typically, a phisher sends an
SECTION 10.3  REVIEW QUESTIONS e-mail that appears to come from a legitimate source), pre-
texting (e.g., an e-mail allegedly sent from a friend asking
1. Describe the difference between a nontechnical and a for money), and diversion theft (when a social engineer
technical cyberattack. convinces a courier company that he is the real recipient of
2. What are the major forms of malicious code? the package but it should be “rerouted” to another address,
3. What factors account for the increase in malicious code? whereupon the social engineer accepts the package). Once
4. Define a virus and explain how it works. information is obtained from a victim (e.g., via phishing), it
5. Define worm and Trojan horse. is used for committing crimes, mostly for financial gain, as
6. Define DoS. How are DoS attacks perpetrated? shown in Figure 10.5. The growth rate of unpatched vulner-
7. Define server. abilities and the volume of e-mail scam/phishing activities
8. Describe botnet attacks. are increasing rapidly.

Figure 10.5  Social engineering: Confidential, Victims


from phishing to financial fraud Sensitive
and crime Information
3

Commit
Financial
Fraud/Crime
2

4A 1 Phishing
Criminal Methods
4B

Sell in Phishers
5
Underground
E-Market
308 10  E-Commerce Security and Fraud Issues and Protections

Figure 10.6  How phishing is


accomplished

As you can see in the figure, phishers (or other criminals) into contacting phony customer service representatives and
obtain confidential information by using methods ranging handing over personal account data. Scammers have now tar-
from social engineering to physical theft. The stolen infor- geted other companies, such as AT&T and Comcast, by draw-
mation (e.g., credit card numbers, users’ identity) is used by ing users to fake websites via phony sponsored ads (Casti
the thieves to commit fraud for financial gain, or it is sold in 2014b). For 2015 phishing attacks, see Lemos (2016). Also see
the underground Internet marketplace to another set of crimi- Forrest (2016) for why phishing gets more dangerous.
nals, who then use the information to conduct financial crimes Selling stolen information, like selling any stolen goods,
themselves. For details see Wollen (2016). In this section, we can be profitable and unstoppable. Unfortunately, potential
will describe how phishing, which is a subset of social engi- e-commerce customers list “the potential risk of fraud,” and
neering, is used. “the mistrust of online merchants that you do not know” as
their primary reasons for not shopping online.

Social Phishing Example: The Target Security Breach


The Target Corp. 2013 security breach, where millions of cus-
In the field of computer security, phishing is a fraudulent pro- tomers had their debit and credit card data stolen, started as a
cess of acquiring confidential information, such as credit card phishing attack (see Schwartz 2014). Hackers used the creden-
or banking details, from unsuspecting computer users. A tials of an employee of one of Target’s vendors to gain access
phisher sends an e-mail, IM, comment, or text message that to Target’s security system and install malware for the purpose
appears to come from a legitimate, well-known, popular com- of accessing the data of every card used. A Target employee
pany, bank, school, or public institution. The user is instructed would swipe the customer’s card and the installed malware
to enter a corrupted website, where he or she may be tricked would capture the shopper’s credit card number. Once the
into submitting confidential information (e.g., being asked to hackers gained access to the data, they were able to steal 40
“update” information). Sometimes phishers install malware to million credit and debit card numbers—and 70 million
facilitate the extraction of information. For an interesting novel addresses, phone numbers, and other pieces of personal infor-
that “cries out an alarm about cyber security,” read “Marlins mation. To see an infographic of how the hackers broke in, and
Cry A Phishing Story” by Swann (2012). The process of Web- how Target could have prevented the hack, see Smith (2014).
based phishing is illustrated in Figure 10.6.
For a discussion of what phishing is and how to recognize
it, see ehow.com/how_7350964_recognize-phishing.html. Fraud and Scams on the Internet
Also see phishing.org/phishing-techniques for how phish-
ing works. EMC/RSA (2014) provides a comprehensive cov- Phishing is the first step that leads to many fraud schemes. The
erage of phishing with statistics and forecasts. Casti (2014a) EC environment where buyers and sellers cannot see each
describes a phishing scam on Netflix where users were tricked other facilitates fraud. There are many types of fraud on the
10.4  Nontechnical Methods: From Phishing to Spam and Fraud 309

Internet (see fbi.gov/scams-safety/fraud/internet_fraud). E-Mail Scams


Fraud is a problem for online retailers and customers alike.
Fortunately, even though actual losses per incident increase, E-mail scams are the most popular type of scam since they are
there are fewer incidents; and thus the total monetary damage so easy to commit. Dog Breed Info Center (dogbreedinfo.
may be declining. Visit dmoz.org/Society/Issues/Fraud/ com; n.d.) posts common examples at (dogbreedinfo.com/
Internet for a comprehensive collection of fraud resources. internetfraud/scamemailexamples.htm). The examples are
For a discussion, see Section 10.7. both educational and entertaining. The most dangerous are
e-mail scams that look like they come from well-known orga-
Examples of Typical Online Fraud Attacks nizations (banks, telecommunication companies) that tell you
that you must provide information in order to keep your
The following are some characteristic fraud attacks perpe- account active. An example of an e-mail purportedly sent by
trated on the Internet. Yahoo! is provided below.

• When one of the authors of this book advertised Yahoo Account


online that he had a house to rent, several “doctors” Verification Alert!!! (KMM69467VL55834KM)
and “nurses” pretending to be from the United
Dear Valued Member,
Kingdom and South America applied. They agreed
Due to the congestion in all Yahoo Accounts, Yahoo
to pay a premium price for a short-term lease and
would be shutting down all unused Accounts. You will
said they would pay with a cashier’s check. They
have to confirm your E-mail by filling out your Login
asked if the author would accept a check from
Information below after clicking the reply button, or
$6000 to $10,000 and send them back the balance
your account will be suspended within 24 h for secu-
of $4000 to $8000. When advised that this would be
rity reasons.
fine, but that the difference would be returned only
after their check had cleared, none of the would-be Yahoo! ID Card
renters followed up. Name:.........................................
• Extortion rings in the United Kingdom and Russia Yahoo! ID:..................................
have extorted hundreds of thousands of dollars from
Yahoo! Mail Address:..................
online sports betting websites. Any site refusing to
pay “protection fees” has been threatened with DoS Password:....................................
attacks. Member Information
Gender:.......................................
Birth Date:..................................
For a video titled “How Hackers Can Invade Your Home” Occupation:.................................
(2:26 min), see money.cnn.com/video/technology/2013/08/ Country:......................................
14/t-hack-my-baby-monitor-and-house.cnnmoney. For a If you are a Yahoo! Account Premium subscriber,
comprehensive discussion of fraud, see CyberSource (2013). we will refund the unused portion of your Premium
For a discussion on social engineering, phishing, and subscription. The refund will appear as a credit via the
other methods of fraudulently obtaining confidential infor- billing method we have on file for you. So please make
mation online, see Pontrioli (2013). sure that your billing information is correct and up-to-­
date. For more information, please visit payments.
Types of Scams mail.yahoo.com.
The following are some representative types of scams (per After following the instruction on this sheet your
Spamlaws see spamlaws.com/scams.html): Literary scams, account will not be interrupted and will continue as
jury duty scams, banking scams, e-mail scams, lottery scams, normal.
Nigerian scams (or “419” fraud), credit cards scams (several We appreciate your being a Yahoo! Account user.
types), work at/from home scams, IRS e-mail scams, and Sincerely,
free vacation scams. Many more can be found at fbi.gov/ Yahoo! Customer Support
scams-safety/fraud/internet_fraud.
310 10  E-Commerce Security and Fraud Issues and Protections

Any e-mail you receive asking for personal details is most For information and protection, see idtheftcenter.org and
likely a scam or phishing attempt since a legitimate organiza- fdic.gov/consumers/theft.
tion will already have all your personal information. For tips
from Yahoo! on how to protect yourself online, see Yahoo!
Safety (safety.yahoo.com). Cyber Bank Robberies

Cyberattacks can happen to individuals and organizations,


Top Ten Attacks and Remedies including banks.

IT security site Secpoint.com provides a list of the top ten Example: Secureworks.com
security-related attacks on the following topics: Top viruses, Secureworks.com uncovered the following check fraud opera-
spyware, spam, worms, phishing, hacker attacks, and hack- tions: Russian cybercriminals used “money mules” (people
ers and social engineering tactics. In addition, the site pro- who thought they were signing up for a legitimate job), 2000
vides related pages on IT security resources such as the top computers, and sophisticated hacking m
­ ethods to steal archived
ten hackers; top ten security tips and tools; pages relating to check images from five companies, and wire the collected
Anti phishing, Anti DoS, Anti spam, and more. For SecPoint money overseas.
IT resources for top ten spam attacks, see secpoint.com/Top- Next, the scammers printed counterfeit checks, which the
10-Spam-Attacks.html. money mules deposited in their own accounts. Then, the
mules were ordered to wire (transfer) the money to a bank in
Russia. The “mules,” as usual, were innocent people who
Identity Theft and Identify Fraud were hired and paid to do the transfer. Some of the mules
became suspicious and reported the scam to the authorities.
Identity theft, according to the United States Department of
Justice website, is a crime. It refers to wrongfully obtaining
and using the identity of another person in some way to com- Spam Attacks
mit crimes that involve fraud or deception (e.g., for economic
gain). Victims can suffer serious damages. In many countries, E-mail spam, also known as junk e-mail or just spam,
it is a crime to assume another person’s identity. According occurs when almost identical messages are e-mailed to
to the U.S. Federal Trade Commission (ftc.gov), identity many recipients in bulk (sometimes millions of unsolicited
theft is one of the major concerns of EC shoppers. According e-mails). According to Symantec, in April 2009, over 90%
to the FTC statistics, identity theft affects over 12 million of messages on corporate networks were e-mail spam.
Americans each year, for a loss of over $55 billion, and is Nearly 58% of spam came from botnets, the worst called
growing about 20% annually. For an entertaining comedy, Dotnet. The situation is better today (2016) due to improved
see the 2013 movie “Identity Thief.” filtering of junk mail. Spammers can purchase millions of
e-mail addresses, and then format the addresses, cut and
Example paste the messages and press “send.” Mass e-mail software
According to Constantin (2016), identity thieves stole 100,000 that generates, sends, and automates spam e-mail sending is
social security numbers and other personal data from the U.S. called Ratware. The messages can be advertisements (to
IRS files. buy a product), fraud-based, or just annoying viruses. For
current statistics on spam, see securelist.com/statistics.
Identity Fraud Securelist is a comprehensive site that also provides descrip-
tions of spam and viruses, a glossary, and information on
Identity fraud refers to assuming the identity of another per- threats. More than 130 billion spam e-mails are sent each
son or creating a fictitious person and then unlawfully using day as of 2013, but this growth rate has stabilized. Note that
that identity to commit a crime. Typical activities include: approximately 80% of all spam is sent by fewer than 200
spammers. These spammers are using spyware and other
• Opening a credit card account in the victim’s name tools mostly for sending unsolicited advertising. The spam-
• Making a purchase using a false identity (e.g., using anoth- mers are getting more and more sophisticated (e.g., see
er’s identity to buy goods) Kaiser 2014).
• Business identity theft is using another’s business name to
obtain credit or to get into a partnership Typical Examples of Spamming
• Posing as another to commit a crime
• Conducting money laundering (e.g., organized crime) Each month Symantec provides a report titled “The State of
using a fake identity Spam: A Monthly Report.” The report provides examples of
10.4  Nontechnical Methods: From Phishing to Spam and Fraud 311

current popular scams, categories of spam, originating coun-  pam in Social Networks and in the Web
S
tries, volume, and much more. 2.0 Environment

Social networks attract spammers due to the large number of


Spyware potential recipients and the less secure Internet and social
network platforms. Spammers like to attack Facebook in par-
Spyware is tracking software that is installed by criminals, ticular. Another problem area is blog spam.
without the user’s consent, in order to gather information
about the user and direct it to advertisers or other third par- Automated Blog Spam
ties. Once installed the spyware program tracks and records Bloggers are spammed by automatically generated commer-
the user’s movements on the Internet. Spyware may contain cials (some real and some fake) for items ranging from
malicious code redirecting Web browser activity. Spyware herbal Viagra to gambling vendors. Blog writers can use
can also slow surfing speeds and damage a program’s func- tools to ensure that a human, and not an automated system,
tionality. Spyware usually is installed when you download posts comments on their blogs.
freeware or shareware. For news and a video titled “Ethiopian
Government Spying on U.S.-Based Journalists” (2:23 min) Search Engine Spam and Splogs
of how some regimes use spyware against journalists, see
Timberg (2014). Search engine spam is technology that enables the creation
of pages called spam sites that trick search engines into
offering biased search results so that the ranking of certain
 ocial Networking Makes Social
S pages is inflated. A similar tactic involves the use of splogs
Engineering Easy (short for spam blog sites), which are blogs created by spam-
mers solely for advertising. The spammer creates many splogs
Social networking sites are a vulnerable and fertile area for and links them to the sites of those that pay him (her) to increase
hackers and con artists to gain a user’s trust, according to a certain page ranking. As you may recall from Chapter 9, com-
study by Danish-owned IT security company CSIS. panies are looking for search engine optimization (SEO),
which is conducted unethically by the above techniques.
How Hackers Are Attacking Social Networks
Examples
Hackers are exploiting the trusted environment of social net- Some examples of spam attacks in social networks (social
works that contain personal information (especially Facebook) spam) are:
to launch different social engineering attacks. Unfortunately,
many social network sites have poor track records for security
• Instant messaging in social networks is frequently
controls. There is a growing trend to use social networking
vulnerable to spam attacks.
sites as platforms for stealing users’ personal data.
• Cluley (2014) describes how Twitter users are
attacked by phishing attacks and spammers.
Examples
Here are some examples of security problems in social
networking:
Data Breach (Leak)

• Users may unknowingly insert malicious code into A data breach (also known as data leak or data loss) is a
their profile page, or even their list of friends. security incident in which data are obtained illegally and then
• Most anti-spam solutions cannot differentiate between published or processed. There are many purposes for data
real and criminal requests to connect to a network. breaches. For instance, one person in the U.S. military used a
This enables criminals to obtain personal information USB to download classified information and then posted the
about the members in a network. stolen information on the Internet. For drivers of data
• Facebook and other popular social networking sites breaches and how to protect yourself, see Goldman (2014a).
offer free, useful, attractive applications. These appli- For the most frightening data breaches, see TechRepublic
cations may have been built by developers who used Staff (2015).
weak security. The discussion so far has concentrated on attacks. Defense
• Scammers may create a fake profile and use it in a mechanisms, including those related to spam and other
phishing scam. cybercrimes, are provided in Section 10.6. First, let us exam-
ine what is involved in assuring information security.
312 10  E-Commerce Security and Fraud Issues and Protections

SECTION 10.4  REVIEW QUESTIONS Authentication, Authorization,


and Nonrepudiation
1. Define phishing.
2. Describe the relationship of phishing to financial fraud. Three concepts are related to the IA model: authentication,
3. Briefly describe some phishing tactics. authorization, and nonrepudiation. These important concepts
4. Describe spam and its methods. are:
5. Define splogs and explain how sploggers make money.
6. Why and how are social networks being attacked?
7. Describe data breaches (data leaks). • Authentication is a security measure making sure
that data information, ECD participants and trans-
actions, and all other EC related objects are valid.
Authentication requires verification. For example, a
10.5 T
 HE INFORMATION ASSURANCE person can be authenticated by something he knows
MODEL AND DEFENSE STRATEGY (e.g., a password), something he possesses (e.g., an
entry token), or something unique to that person
The Information Assurance (IA) model, known as the CIA (e.g., a fingerprint).
security triad, is a point of reference used to identify problem • Authorization requires comparing information pro-
areas and evaluate the information security of an organization. vided by a person or a program during a login with
The use of the model includes three necessary attributes: con- stored information associated with the access
fidentiality, integrity, and availability. This model is described requested.
next. (For a discussion, see whatis.techtarget.com/defini- • Nonrepudiation is the concept of ensuring that a party
tion/Confidentiality-integrity-and-availability-CIA.) in an EC transaction cannot repudiate (or refute) the
Note: The assurance model can be adapted to several EC validity of an EC contract and that she or he will fulfill
applications. For example, securing the supply chain is critical. their obligation in the transactions. According to the
National Information Systems Security (INFOSEC)’s
glossary, nonrepudiation is the “[a]ssurance the sender
Confidentiality, Integrity, and Availability of data is provided with proof of delivery and the recip-
ient is provided with proof of the sender’s identity, so
The success and security of EC can be measured by these that neither can later deny having processed the data.”
attributes:

Note: See the list of Key Terms in Section 10.2. Some


sources list more concepts (e.g., Techopedia).
To assure these attributes, e-commerce applies technolo-
1. Confidentiality is the assurance of data secrecy and gies such as encryption, digital signature, and certification.
privacy. Namely, the data is disclosed only to autho- For example, the use of a digital signature makes it difficult
rized people. Confidentiality is achieved by using for people to deny their involvement in an EC transaction.
several methods, such as encryption and passwords. In e-commerce, new or improved methods to ensure the
2. Integrity is the assurance that data are accurate and confidentiality of credit card numbers, the integrity of tran­
that they cannot be altered. The integrity attribute saction-­related messages, the authentication of buyers and
needs to be able to detect and prevent the unauthor- sellers, and nonrepudiation of transactions need to be con-
ized creation, modification, or deletion of data or stantly updated as older methods become obsolete.
messages in transit.
3. Availability is the assurance that access to any rele-
vant data, information websites, or other EC services E-Commerce Security Strategy
and their use is available in real time, whenever and
wherever needed. The information must be reliable. EC security needs to address the IA model and its components.
In Figure 10.7, an EC security framework that defines the high-
10.5  The Information Assurance Model and Defense Strategy 313

E-Commerce Security Strategy

Regulatory Financial Marketing & Operations


(External) (Internal) (Internal)
Control: Database and network Control: Fraud; embezzlement, Control: Website functions,
security bad debt expense customer transactions,
Assurance metrics: Assurance metrics: Authentication electronic documents,
Confidentiality, integrity, and integrity intellectual property
authorization Protect against: Assurance metrics: Avaibability,
Protect against: Transactions using stolen identities, nonrepudiation.
Unauthorized access by debit or credit cards, and checks, Protect against:
hackers, former employees, Unauthorized transactions and Phishing
malware, and crimeware overrides Spoofing
privacy violations Pretexting Denial-of-service attacks
Industrial espionage

Figure 10.7  E-commerce security strategy framework

level categories of assurance and their controls is presented.


The major categories are regulatory, financial, and marketing 3. General, administrative, and application controls.
operations. Only the key areas are listed in the figure. These are a variety of safeguards that are intended
to protect computing assets by establishing guide-
lines, checking procedures, and so forth.
4. Protection against social engineering and fraud.
The Defense Side EC Systems
Several defense methods are used against spam,
phishing, and spyware.
We organize the defense into eight categories:
5. Disaster preparation, business continuity, and
risk management. These topics are managerial
issues that are supported by software.
1. Defending access to computing systems, data 6. Implementing enterprisewide security programs.
flow, and EC transactions. This includes three top- To deploy the above mentioned defense methods, one
ics: Access control (including biometrics), encryp- needs to use appropriate implementation strategy.
tion of contents, and public key infrastructure (PKI). 7. Conduct a vulnerability assessment and a pene-
This line of defense provides comprehensive pro- tration test. (See the following text.)
tection when applied together. Intruders that circum- 8. Back up the data.
vent the access control will face encrypted material
even if they pass a firewall.
2. Defending EC networks. This includes mainly For a comprehensive coverage of all aspects of informa-
protection by firewalls. The firewall isolates the cor- tion protection, see Harwood (2015).
porate network and computing devices from the To implement the above defense, first conduct some
Internet that are poorly secured. To make the Internet assessment and then plan and execute. Two possible activi-
more secure, we can use virtual private networks. In ties are vulnerability assessments and penetration tests.
addition to these measures, it is wise to use intru-
sion-detecting systems. A protected network means Assessing Vulnerabilities and Security Needs
securing the incoming e-mail, which is usually
unencrypted. It is also necessary to protect against A key task in security strategy is to find the weaknesses and
viruses and other malware that are transmitted via strengths of the existing security strategies and solutions. This
the networks. is part of a risk assessment and can be accomplished in differ-
ent ways. Here are two representative suggestions:
314 10  E-Commerce Security and Fraud Issues and Protections

1. Conduct a vulnerability assessment of your EC systems. A 10.6 DEFENDING INFORMATION


vulnerability assessment is a process of identifying and SYSTEMS AND E-COMMERCE
evaluating problem areas that are vulnerable to attack on a
computerized system. The EC system includes online Defending information systems regardless of their nature are
ordering, communication networks, payment gates, prod- similar and are described in many books (e.g., by Andress 2014).
uct database, fraud protection, and so forth. The most criti- We provide only highlights of this security, dividing it into
cal vulnerabilities are those that can interrupt or shut down three categories: (1) Access control, encryption, and PKI, (2)
the business. For example, a DoS can prevent order taking; Security in e-commerce networks, and (3) General controls,
a virus attack can prevent communication. The assessment spam, pop ups, and social engineering. In Section 10.7 we
will determine the need for, and priority of, the defense describe fraud protection.
mechanisms. For an overview of vulnerability assessment A comprehensive coverage of cybersecurity threats and
including the process, see searchmidmarketsecurity. defense is provided by Scott in several volumes titled Cyber­
techtarget.com/definition/vulnerability-analysis. security 101. Volume 1 (Scott 2016a) covers mostly nontechni-
2. Conduct penetration (pen) tests (possibly implemented cal areas, while Volume 2 (Scott 2016b) covers mostly technical
by hiring ex-hackers) to find the vulnerabilities and secu- areas. A comprehensive book regarding defense against attacks
rity weaknesses of a system. These tests are designed to on the Web is provided by Harwood (2015).
simulate outside (external) attacks. This is also called
“black-box” testing. In contrast, software development
companies conduct intensive “white-hat” testing, which  he Defense I: Access Control, Encryption,
T
involves a careful inspection of the system—both hard- and PKI
ware and software. Other types of pen testing include tar-
geted texting, blind testing, and double blind testing. In this section, we describe the following topics: Access con-
trol methods, biometric systems, encryption, and PKI encryp-
For more information, see searchsoftwarequality.tech- tion. For an overview of the defense, see Cloud (2015).
target.com/definition/penetration-testing.
Access Control
Penetration Test
Access control determines who (person, program, or machine)
A penetration test (pen test) is a method of assessing the can legitimately use the organization’s computing resources
vulnerability of a computer system. It can be done manually, (which resources, when, and how).
by allowing experts to act as hackers to simulate malicious
attacks. The process checks the weak (vulnerable) points that Authorization and Authentication
an attacker may find and exploit. Any weakness that is discov- Access control involves authorization (having the right to
ered is presented to management, together with the potential access) and authentication, which is also called user identifi-
impact and a proposed solution. A pen test can be one step in cation (user ID), i.e., proving that the user is who he or she
a comprehensive security audit. claims to be. Each user has a distinctive identification that dif-
Several methods can be used to execute pen tests (e.g., ferentiates it from other users. Typically, user identification is
automated process). In addition, many software tools are used together with a password.
available for this purpose. For a review and a tutorial, see
pen-tests.com and coresecurity.com/penetration-testing-­ Authentication
overview. For more on penetration tests, see Maxwell (2016). After a user has been identified, the user must be authenticated.
Authentication is the process of verifying the user’s identity
and access rights. Verification of the user’s identity usually is
SECTION 10.5  REVIEW QUESTIONS based on one or more characteristics that distinguish one indi-
vidual from another.
1 . What is Information Assurance? List its major components.
2. Define confidentiality, integrity, and availability. Biometric Systems
3. Define authentication, authorization, and nonrepudiation.
4. List the objectives of EC strategy. A biometric authentication is a technology that measures
5. List the eight categories of defense in EC systems. and analyzes the identity of people based on measurable
6. Describe vulnerability assessment. biological or behavioral characteristics or physiological
­
7. What is a penetration test? signals.
10.6  Defending Information Systems and E-Commerce 315

Biometric systems can identify a previously registered set of procedures or mathematical algorithms used to encrypt
person by searching through a database for a possible match or decrypt a message. Typically, the algorithm is not the secret
based on the person’s observed physical, biological, or piece of the encryption process. The key (key value) is the
behavioral traits, or the system can verify a person’s identity secret piece used with the algorithm to encrypt (or decrypt)
by matching an individual’s measured biometric traits the message. For how encryption works, see computer.how-
against a previously stored version. stuffworks.com/encryption.htm.
Examples of biometric features include fingerprints, facial The major benefits of encryption are as follows:
recognition, DNA, palm print, hand geometry, iris recogni-
tion, and even odor/scent. Behavioral traits include voice ID,
typing rhythm (keystroke dynamics), and signature verifica-
• Allows users to carry data on their laptops, mobile
tion. A brief description of some of these follows:
devices, and storage devices (e.g., USB flash drives).
• Protects backup media while people and data are
offsite.
• Allows for highly secure virtual private networks
• Thumbprint or fingerprint. A thumb- or finger- (VPNs; see Section 10.7).
print (finger scan) of users requesting access is • Enforces policies regarding who is authorized to han-
matched against a template containing the finger- dle specific corporate data.
prints of authorized people (e.g., used by Apple Pay). • Ensures compliance with privacy laws and govern-
• Retinal scan. A match is sought between the pat- ment regulations, and reduces the risk of lawsuits.
terns of the blood vessels in the retina of the access • Protects the organization’s reputation and secrets.
seekers against the retinal images of authorized peo-
ple stored in a source database.
• Voice ID (voice authentication). A match is sought
between the voice pattern of the access seekers and Encryption has two basic options: the symmetric system,
the stored voice patterns of the authorized people. with one secret key, and the asymmetric system, with two
• Facial recognition. Computer software that views keys.
an image or video of a person and compares it to an
image stored in a database (used by Amazon.com Symmetric (Private) Key Encryption
and Alibaba).
• Signature recognition. Signatures of access seekers In a symmetric (private) key encryption, the same key is
are matched against stored authentic signatures. used to encrypt and decrypt the plaintext (see Figure 10.8).
The sender and receiver of the text must share the same key
without revealing it to anyone else—making it a so-called
private system.
Note that Alibaba is using facial recognition for online A strong key is only one requirement. Transferring the
payments. You scan your face in front of the camera in your key between individuals and organizations may make it inse-
smartphone (see Kan 2015 for details). Amazon is using a cure. Therefore, in EC, a PKI system is used.
similar system (Hinckley 2016).
Other biometrics types are thermal infrared face recogni- Public Key Infrastructure
tion, hand geometry, and hand veins. For details, compari-
sons with regard to human characteristics, and cost–benefit A public key infrastructure (PKI) is a comprehensive
analyses, see findbiometrics.com/solutions. framework for securing data flow and information exchange
that overcomes some of the shortcomings of the one-key sys-
Encryption and the One-Key (Symmetric) System tem. For example, the symmetric one-key encryption requires
the writer of a message to reveal the key to the message’s
Encryption is the process of encoding data into a form recipient. A person that is sending a message (e.g., vendor)
(called a ciphertext) that will be difficult, expensive, or time-­ may need to distribute the key to thousands of recipients (e.g.,
consuming for an unauthorized person to understand. All buyers), and then the key probably would not remain secret.
encryption methods have five basic components: plaintext, The PKI solution is using two keys, public and private, as
ciphertext, an encryption algorithm, the key, and key space. well as additional features that create a highly secured sys-
Plaintext is a human-readable text or message. Ciphertext tem. In addition to the keys, PKI includes digital signatures,
is an encrypted plaintext. The encryption algorithm is the hash digests (function), and digital certificates.
316 10  E-Commerce Security and Fraud Issues and Protections

Figure 10.8 Symmetric Private Key Private Key


(private) key encryption

Plaintext Encryption Decryption Plaintext


Ciphertext
Message Message

Sender Receiver

Public (Asymmetric) Key Encryption  he Defense II: Securing E-Commerce


T
Public (asymmetric) key encryption uses two keys—a Networks
public key that is known to all and a private key that only
its owner knows. The two keys must be used together. If a Several technologies exist that ensure that an organization’s
message is encrypted with a public key, then only the associ- network boundaries are secure from cyberattack or intrusion,
ated private key can decrypt the message (and vice versa). If, and that if the organization’s boundaries are compromised,
for example, a person wants to send a purchase order to a the intrusion is detected quickly and combated.
vendor and have the contents remain private, the sender
encrypts the message with the buyer’s public key. When the Firewalls
vendor, who is the only one able to read the purchase order,
receives the order, the vendor decrypts it with the associated Firewalls are barriers between an internal trusted network
private key. (or a PC) and the untrustworthy Internet. A firewall is
designed to prevent unauthorized access to and from private
The PKI Process: Digital Signatures and Certificate networks, such as intranets. Technically, a firewall is com-
Authorities posed of hardware and a software package that separates a
Digital signatures are the electronic equivalent of personal private computer network (e.g., your LAN) from a public
signatures on paper. They are difficult to forge since they network (the Internet). Firewalls are designed mainly to pro-
authenticate the identity of the sender that uses the public tect against any remote login, access by intruders via back-
key. Digital signatures are legally treated as signatures on doors, spam, and different types of malware (e.g., viruses or
paper. To see how a digital signature works, go to searchse- macros). Firewalls come in several shapes and formats. A
curity.techtarget.com/definition/digital-signature. popular defense system is a DMZ. The DMZ can be designed
in two different ways, using a single firewall or with dual
Certificate Authority firewalls. For intelligent firewalls, see Teo (2016).
Independent agencies called certificate authorities (CAs)
issue digital certificates or SSL certificates, which are elec- The Dual Firewall Architecture: The DMZ
tronic files that uniquely identify individuals and websites In the DMZ architecture (DMZ stands for demilitarized
and enable encrypted communication. The certificate con- zone), there are two firewalls between the Internet and the
tains personal information and other information related to internal users. One firewall is between the Internet and the
the public key and the encryption method, as well as a signed DMZ (border firewall) and another one is between the DMZ
hash of the certificate data. and the internal network (see Figure 10.9). All public servers
are placed in the DMZ (i.e., between the two firewalls). With
Secure Socket Layer this setup, it is possible to have firewall rules that allow
PKI systems are further secured with SSL—a protocol for trusted partners access to the public servers, but the interior
e-commerce. The PKI with SSL makes e-commerce very firewall can restrict all incoming connections.
secure but cumbersome for users. One of the major proto-
cols in use today is Secure Socket Layer (SSL). SSL has Virtual Private Networks (VPNs)
been succeeded by Transport Layer Security (TLS), which is
based on SSL. For further details, see searchsecurity.tech- Suppose a company wants to establish a B2B application,
target.com/definition/Transport-Layer-Security-TLS. providing suppliers, partners, and others access not only to
In the next section, the focus is on the company’s digital data residing on its internal website, but also to data con-
perimeters—the networks. tained in other files (e.g., Word documents) or in legacy
10.6  Defending Information Systems and E-Commerce 317

Figure 10.9  The two firewalls:


DMZ architecture
DMZ

Modem

Fire
wal Fire
l wal
l
External Firewall
Internal Firewall

Internet

Public Server Private (Enterprise)


(e.g., FTP) Network

s­ ystems (e.g., large relational databases). Traditionally, com- searchsecurity.techtarget.com/guides/Introduction-to-IDS-


munications with the company would have taken place over IPS-Network-intrusion-detection-­system-­basics.
a secure but expensive value-added private leased line or
through a dial-up line connected to modems or a remote Dealing with DoS Attacks
access server (RAS). Unfortunately, using the Internet
instead, which is free, may not be secure. A more secure use DoS attacks, as described earlier, are designed to bombard
of the Internet is provided by using a VPN. websites with all types of useless information, which clogs
A virtual private network (VPN) refers to the use of the the sites. The faster a DoS attack is discovered, the easier
Internet to transfer information, but in a more secure manner. A is the defense. DoS attacks grow rapidly. Therefore, detecting
VPN behaves like a private network by using encryption and an intrusion early can help. Since there are several types of
other security features to keep the information secure. For exam- DoS attacks (e.g., DDoS), there are several defense methods.
ple, a VPN verifies the identity of anyone using the network. For examples, see learn-networking.com/network-­security/
For details on VPNs, see ­searchenterprisewan.techtar- how-to-prevent-denial-of-service-attacks. Intrusion detect-
get.com/definition/virtual-private-network. ing software also identifies the DoS type, which makes the
defense easier and faster.
Intrusion Detection Systems (IDS)

No matter how protected an organization is, it still can be a  he Defense III: General Controls,
T
target for attempted security attacks. For example, most Spam, Pop Ups, and Social Engineering
organizations have antivirus software, yet they are subjected Controls
to virus attacks by new viruses. This is why an organization
must continually monitor for attempted, as well as actual, The objective of IT security management practices is to defend
security breaches. The monitoring can be done by using information systems. A defense strategy requires several
intrusion detectors. controls.
An intrusion detection system (IDS) is a device com- The major types of controls are: (1) General controls,
posed of software and/or hardware designed to monitor the which are designed to protect all system applications. (2)
activities of computer networks and computer systems in Application controls guard applications. In this and the fol-
order to detect and define unauthorized and malicious attempts lowing sections, we discuss representative types of these two
to access, manipulate, and/or disable these networks and sys- groups of information system controls. Later in the section,
tems. For details, the technology, benefits, and limitations, see we cover spam and fraud mitigation.
318 10  E-Commerce Security and Fraud Issues and Protections

General, Administrative, and Other Controls becomes a necessity for any successful social networking
initiative.
The major categories of general controls are physical Social networking spans many different applications and
­controls, administrative controls, and other controls. A brief services. Therefore, many methods and tools are available to
description of general controls is provided next. defend such systems. Many of the solutions are technical in
nature and are outside the scope of this book.
Physical Controls
Physical controls protect computer facilities and resources, Protecting Against Phishing
including the physical area where computing facilities are Because there are many phishing methods, there are many
located. The controls provide protection against natural haz- defense methods as well. Illustrative examples are provided
ards, criminal attacks, and some human error. by Symantec (2009) and the FTC Consumer Information at
Network access control software is offered by all major secu- consumer.ftc.gov/articles/0003-phishing. For risk and fraud
rity vendors (e.g., see symantec.com/endpoint-protection). insights, see sas.com/en_us/insights/risk-fraud.html.

Administrative Controls Protecting Against Malvertising


Administrative controls are defined by management and cover According to TechTarget, malvertising (malicious a­ dvertising)
guidelines and compliance issuing and monitoring. “is an advertisement on the Internet that is capable of infecting
the viewer’s computer with malware.” Microsoft combats
Protecting Against Spam malvertising by taking legal action against malvertisers.

Sending spam that includes a sales pitch and looks like per- Protecting Against Spyware
sonal, legitimate e-mail and may bypass filters is a violation of
the U.S. Controlling the Assault of Non-Solicited Pornography In response to the emergence of spyware, a large variety of
and Marketing (CAN-SPAM) Act of 2003. However, many antispyware software exists. Antispyware laws, available in
spammers hide their identity by using hijacked PCs or spam many jurisdictions, usually target any malicious software
zombies to avoid detection and identification. For protecting that is installed without the knowledge of users. The
your system against botnet attacks, which also spread a huge U.S. Federal Trade Commission advises consumers about
volume. spyware infections. For details and resources, see ftc.gov/
news-events/media-resources/identity-theft-and-data-
Protecting Your Computer from Pop-Up Ads security/spyware-and-malware.

The use of pop-ups and similar advertising methods is grow- Protecting Against Cyberwars
ing rapidly. Sometimes it is even difficult to close these ads
when they appear on the screen. Some of these ads may be This is a difficult task since these attacks usually come from
part of a consumer’s permitted marketing agreement, but foreign countries. The U.S. government is developing tools
most are unsolicited. What can a user do about unsolicited that will mine social media sites to predict cyberattacks. The
pop-up ads? Here are some resources: tools will monitor all Facebook, Twitter, and other social net-
Panicware, Inc.’s Pop-Up Stopper Free Edition (pop-up-­ works sites to interpret content. The idea is to automate the
stopper-free-edition.software.informer.com), Softonic’s Pop process.
up Blocker (pop-up-blocker.en.softonic.com/download), and
AdFender (adfender.com); others are available for a fee. For a
list, see snapfiles.com; and for a list of blocker software for Business Continuity and Disaster Recovery
Windows, see download.cnet.com/windows/popup-blocker-
software. Many ISPs and major browser makers (e.g., Google, Disasters may occur without warning. A prudent defense is
Microsoft, Yahoo!, Mozilla) offer tools to stop pop-ups. to have a business continuity plan, mainly consisting of a
disaster recovery plan. Such a plan describes the details of
Protecting Against Other Social Engineering Attacks the recovery process from major disasters such as loss of all
(or most) of the computing facilities or the data.
With the increasing number of social engineering attacks via
websites and in social networks comes the need for better  xample: Hospital Paid Ransom after Malware Attack
E
protection. The open-source environment and the interactive Hollywood Presbyterian Medical Center paid a ransom of
nature of the technology also create risks. Thus, EC security $17,000 in Britain (so the) blackmailer-hacker cannot be
10.7  Consumer and Seller Protection from Online Fraud 319

identified (see Chapter 11 for bitcoins). The hacker encrypted Consumer (Buyer) Protection
the data that were not backed up. The hospital failed with its
disaster recovery plan, so there was no choice (per the hospi- Consumer protection is critical to the success of any com-
tal management), but paying the ransom. For details see merce, especially electronic ones, where transactions between
Jennings (2016). buyers and sellers are not face-to-face. The Federal Trade
Commission (FTC) enforces consumer protection laws in the
United States. The FTC provides a list of common online
SECTION 10.6  REVIEW QUESTIONS scams (see onguardonline.gov/articles/0002-­common-­online-
scams). In addition, the European Union and the United States
1. Define access control. are attempting to develop joint consumer protection policies.
2. What are the basic elements of an authentication system? For details, see the Trans Atlantic Consumer Dialogue website
3. Define biometric systems and list five of their methods. at tacd.org.
4. Define a symmetric (one-key) encryption.
5. List some of the disadvantages of the symmetric system. Representative Tips and Sources for Your Protection
6. What are the key components of PKI?
7. Describe the PKI process. A representative list follows:
8. How does a digital signature work?
9. Describe digital certification.
10. List the basic types of firewalls and briefly describe each. • Users should make sure that they enter the real web-
11. How does a VPN work and how does it benefit users? site of well-known companies, such as Walmart,
12. Briefly describe the major types of IDSs. Disney, and Amazon.com, by going directly to the
13. What are general controls? List the various types. site, rather than through a link.
14. How does one protect against spam? • Check any unfamiliar site for an address and tele-
15. How does one protect against pop-ups? phone and fax numbers. Call and quiz a salesperson
16. How does one protect against phishing, spyware, and about the company and the products.
malvertising? • Investigate sellers with the local chamber of com-
merce, Better Business Bureau (bbb.org), or TRUSTe
(truste.com).
• Investigate how secure the seller’s site is and how
10.7 C
 ONSUMER AND SELLER well it is organized.
PROTECTION FROM ONLINE • Examine the money-back guarantees, warranties,
FRAUD and service agreements before making a purchase.
• Compare prices online with those in regular stores—
Internet fraud is a major problem in e-commerce and it is prices that are too low may be too good to be true.
growing rapidly. The fraud is mostly against consumers, but • Ask friends what they know about the websites. Find
there is some against sellers and merchants. Governments testimonials and endorsements (be careful, some
are especially eager to educate the public about the many may be biased).
types of fraud, which target senior citizens in particular. • Find out what remedy is available in case of a
General information on what are common frauds is provided dispute.
by agencies such as the FBI (see fbi.gov/scams-safety/ • Consult the National Consumers League Fraud
fraud/internet_fraud). The FBI also operates the Internet Center (fraud.org).
Crime Complaint Center, IC3 at ic3.gov. Internet fraud is • Check the resources available at consumerworld.
growing problem (about 25% of all consumers are victims). org.
The problem is growing due to the blending of social com- • Amazon.com provides comprehensive protection.
merce and e-commerce and the increased use of m-com- See payments.amazon.com/merchant.
merce (see Frenkel 2016). For an overview, see paypal.com/
c2/webapps/mpp/paypal-safety-and-security.
It is necessary to protect EC consumers, which the IC3
In addition to these tips, consumers and shoppers also
attempts to do, by informing the public about Internet scams
have rights on the Internet, as described in the following list
and by publishing public service announcements.
of sources:
320 10  E-Commerce Security and Fraud Issues and Protections

Better Business Bureau


• The Federal Trade Commission (ftc.gov): Protecting The Better Business Bureau (BBB; bbb.org), a nonprofit
America’s Consumers. Abusive e-mail should be organization supported largely by membership, collects and
forwarded to spam@uce.go. For tips and advice see provides reports on businesses that consumers can review
ftc.gov/tips-advice. before making a purchase. The BBB responds to millions of
• The Federal Government Safety Online (usa.gov/ inquiries each year. The BBB also handles customer disputes
online-safety) against businesses.
• National Consumers League Fraud Center (fraud.
org). Which?
• Federal Citizen Information Center (gsa.gov/­portal/ Supported by the European Union, Which? (which.co.uk)
category/101011). gives consumers protection by ensuring that online traders
• U.S. Department of Justice (justice.gov). under its Which? Web Trader scheme abide by a code of pro-
• Internet Crime Complaint Center (ic3.gov). active guidelines. These guidelines outline issues such as
• The American Bar Association provides online product information, advertising, ordering methods, prices,
shopping tips at safeshopping.org. delivery of goods, consumer privacy, receipting, dispute res-
• The Better Business Bureau (bbb.org). olution, and security.
• The U.S. Food and Drug Administration provides
information on buying medicine and medical prod- WebTrust Seal
ucts online (www.fda.gov/drugs/resourcesforyou/ The WebTrust seal program is similar to TRUSTe. The
ucm077266.htm). American Institute of Certified Public Accountants (cpaweb­
• The Direct Marketing Association (thedma.org). trust.com) sponsors it.

Evaluation by Consumers
A large number of sites include product and vendor evalua-
For specific tips on how to spot fake sites and products, tions offered by consumers. For example, on Yelp!, commu-
see Horowitz and Horowitz (2015). nity members rate and comment on businesses.
Disclaimer: This is general information on consumer
rights. It is not legal advice on how any particular individual The Computer Fraud and Abuse Act (CFAA)
should proceed. If you require specific legal advice, consult
an attorney. The Computer Fraud and Abuse Act (CFAA), passed in
1984 and amended several times, is an important milestone
in EC legislation. Initially, the scope and intent of CFAA was
Third-Party Assurance Services
to protect government computers and financial industry com-
puters from criminal theft by outsiders. In 1986, the CFAA
Several public organizations and private companies also
was amended to include stiffer penalties for violations, but it
attempt to protect consumers. The following are just a few
still only protected computers used by the federal govern-
examples.
ment or financial institutions. As the Internet expanded in
scope, so did the CFAA.
Protection by a Third-Party Intermediary
Intermediaries who manage electronic markets try to protect
buyers and sellers. A good example is eBay, which provides Seller Protection
an extensive protection program (see eBay Money Back
Guarantee (pages.ebay.com/coverage/index.html) and a The Internet makes it easier for buyers and sellers engaging
Dispute Resolution Center). in EC to commit fraud. Sellers must be protected against:

TRUSTe’s “Trustmark”
TRUSTe (truste.com) is a for-profit company whose mis- • Customers who deny that they placed an order.
sion is to ensure that “businesses adhere to best practices • Customers who download copyrighted software and
regarding the collection and use of personal information on sell it to others.
their website” (see truste.com/about-TRUSTe). • Customers who give fraudulent payment informa-
The TRUSTe program is voluntary. The licensing fee for tion (false credit card or a bad check) for products
use of the Trustmark is paid by sellers, depending on the size and services that they buy.
of the online business.
10.7  Consumer and Seller Protection from Online Fraud 321

• Ask the customer to disclose the credit card verification code.


• Imposters—sellers using the name of another seller • Delay shipment until money is received.
(see the CyberSource Annual Reports).
• Other sellers using the original seller’s names, trade- For further discussion of what merchants can do to protect
marks, and other unique features, and even their themselves from fraud, see CyberSource. For ten measures
Web addresses (or similar to it). to reduce credit card fraud for Internet Merchants (a
• Payment fraud by consumers and by criminals. FraudLabs.com White Paper), see ­fraudlabs.com/docs/
fraudlabs_white_paper.pdf.

Sellers also can be attacked illegally or unethically by


competitors.  rotecting Marketplaces and Social
P
Network Services
Example
A class action lawsuit was filed against McAfee in the United Marketplaces such as eBay, Yahoo!, Amazon.com, and
States District Court for the Northern District of California Alibaba face a problem of sellers that try to sell counterfeit
(Case No. 10-1455-HRL) alleging that after the plaintiffs products online. The problem is especially acute for Alibaba
purchased McAfee software from McAfee’s website, a whose business model is to connect sellers and buyers (in
deceptive pop-up ad (from one of McAfee’s partners) that contrast with Amazon.com) that mostly buys products and
looks like a McAfee page appeared, and thanked the plain- retails them to consumers. Marketplaces try to crack down
tiffs for their software purchase. The pop-up ad asked them on the counterfeiter, but it is not an easy job.
to click on a “Try it Now” button, which they assumed would Facebook and other social networks that move to com-
download the software they had just purchased, but unbe- mercialization are facing the problem of fake accounts. For
knownst to them, they received a 30-day trial subscription to the problem and solutions, see Jones (2016).
Arpu, Inc. (a non-McAfee product). They found out later that
McAfee transmits customer credit/debit card and billing  rotecting Both Buyers and Sellers: Using
P
information to Arpu (customers are charged $4.95 per month Electronic Signatures and Other Security
after the trial period) and collects an undisclosed fee for each Features
customer who “tries” Arpu via the McAfee website. See also
courthousenews.com/2010/04/08/McAfee.pdf. One method to help distinguish between legitimate and fraud-
ulent transactions is electronic signatures.
What Can Sellers Do? An electronic signature is “the electronic equivalent of a
handwritten signature” (per pcmag.com/encyclopedia/term/
Companies like Chargeback Stopper (chargebackstopper. 42500/electronic-signature). Electronic signatures provide
com) and Chargeback Protection (chargebackprotection.org) high level of security and are recognized by most legal entities
provide merchants with a database of credit card numbers that as being equivalent to handwritten signatures. All electronic
have had “chargeback orders” recorded against them. Sellers signatures are represented digitally. Signed electronic docu-
who have access to the database can use this information to ments and contracts are as legally binding as paper-based doc-
decide whether to proceed with a sale. In the future, the credit uments and contracts.
card industry is planning to use biometrics to manage elec-
tronic shoplifting. In addition, sellers can use PKI and digital Authentication
certificates, especially the SET protocol, to help prevent fraud.
Other possible solutions include the following: In the online environment where consumers and merchants
do not have physical contact with one another, proving the
• Use intelligent software to identify questionable custom- authenticity of each person is necessary since buyers and
ers (or in small companies, do this identification manu- sellers do not see each other. However, if one can be sure of
ally). One technique, for example, involves comparing the identity of the person on the other end of the line, there
credit card billing and requested shipping addresses. could be more e-commerce applications. For example, stu-
• Identify warning signals—i.e., red flags—for possible dents would be able to take exams online from anywhere
fraudulent transactions. without the need for proctors. Fraud among recipients of
• Ask customers whose billing address is different from the government payments would be minimized. Buyers would
shipping address to call their bank and have the alternate be assured who the sellers are, and sellers would know, with
address added to their bank account. Retailers will agree to a very high degree of confidence, who the buyers really are.
ship the goods to the alternate address only if this is done. Online job interviews would be accurate because it would be
322 10  E-Commerce Security and Fraud Issues and Protections

almost impossible for an applicant to impersonate another Senior Management Commitment and Support
person. Overall, trust in online transactions and in EC in
­general would increase significantly. Authentication can be The success of an EC security strategy and program depends
achieved in several ways, including the use of biometrics. on the commitment and involvement of senior management.
Many forms of security are unpopular because they are
Fraud Detecting Systems inconvenient, restrictive, time-consuming, and expensive.
Security practices may not be a top organizational priority
There are a large number of fraud detection systems such as unless they are mandated.
the use of data mining for credit card fraud. CyberSource also Therefore, an EC security and privacy model for effective
has developed several tools for detecting fraud. For details, see enterprisewide security should begin with senior manage-
Cyber Source periodic reports and authorize.net/resources/ ment’s commitment and support, as shown in Figure 10.10.
files/fdswhitepaper.pdf. The model views EC security (as well as the broader IT secu-
rity) as a combination of commitment and support, policies
and training, procedures and enforcement, and tools, all exe-
SECTION 10.7  REVIEW QUESTIONS cuted as a continuous process.

1 . Describe consumer protection measures.


2. Describe assurance services. EC Security Policies and Training
3. What must a seller do to protect itself against fraud? How?
4. Describe types of electronic signatures. Who is protected? An important security task is developing an organizational
Why? EC security policy, as well as procedures for specific security
5. Describe authentication. and EC activities such as access control and protecting cus-
tomer data. Customers should:

10.8 IMPLEMENTING ENTERPRISEWIDE


E-COMMERCE SECURITY • Know that data is being collected, and when it is
done.
Now that you have learned about both the threats and the • Give their permission for the data to be collected.
defenses, we can discuss some implementation issues starting • Have knowledge and some control over how the
with the reasons why it is difficult, or even impossible, to stop data is controlled and used.
computer crimes and the malfunction of information systems. • Be informed that the information collected is not to
be shared with other organizations.

The Drivers of EC Security Management


To protect against criminal use of social media, you can:
The explosive growth of EC and SC, together with an increase
in the ever-changing strategies of cybercriminals, combined
with regulatory requirements and demands by insurance • Develop policies and procedures to exploit opportu-
companies, drives the need for comprehensive EC security nities but provide customer protection.
management. Additional drivers are: • Educate employees and others about what is accept-
able and what is not acceptable.
• The laws and regulations with which organizations
must comply.
• The conduct of global EC. More protection is needed According to sans.org, cyberintelligence is an important
when doing business with a foreign country. defense tool.
• Information assets have become critical to the oper-
ation of many businesses.
• New and faster information technologies are shared
throughout organizations. Organizational collabora- EC Risk Analysis and Ethical Issues
tion is needed.
• The complexity of both the attacks and the defense EC security procedures require an evaluation of the digital
requires an organization-wide collaboration approach. and financial assets at risk—including cost and operational
considerations.
10.8 Implementing Enterprisewide E-Commerce Security 323

Senior Management Security Policies Security Procedures Security Tolls:


Commitment & Support & Training & Enforcement Hardware & Software

Figure 10.10  Enterprisewide EC security and privacy process

A related assessment is the business impact analysis. Shoppers’ Negligence


Business impact analysis (BIA) refers to an analysis of the
impact of losing the functionality of an EC activity (e.g., Many online shoppers are not taking the necessary (but incon-
e-procurement, e-ordering) to an organization. Once such venient) precautions to avoid becoming victims of identity
risks are computed, the organization should focus its defense theft or fraud.
strategy on the largest risks.
Ignoring EC Security Best Practices
Ethical Issues
Many companies do not have prudent IT security manage-
Implementing security programs raises several ethical issues. ment or employee security awareness. Many widespread
First, some people are against the monitoring of any indi- threats in the United States stem from the lack of user aware-
vidual’s activities. Imposing certain controls is seen by some ness of malware and hacking attacks.
as a violation of freedom of speech or other civil rights. A
survey by the Gartner Group found that even after the terror- Design and Architecture Issues
ist attacks of September 11, 2001, only 26% of Americans
approved a national ID database. Many even consider using It is well known that preventing vulnerability during the EC
biometrics to be a violation of privacy. design and pre-implementation stage is far less expensive
Handling the privacy versus security dilemma is diffi- than mitigating problems later; unfortunately, such preven-
cult. There are other ethical and legal obligations that may tion is not always made. Even minor design errors can
require companies to “invade the privacy” of employees and increase hacking.
monitor their actions. In particular, IT security measures are
needed to protect against loss, liability, and litigation. Lack of Due Care in Business Practices

Another reason for the difficulty is the lack of due care in


Why Is It Difficult to Stop Internet Crime? conducting many business processes (e.g., in crowdsourc-
ing). The standard of due care is the minimum and custom-
The following are the major reasons Internet crime is so ary practice that a company is reasonably expected to take to
­difficult to stop. protect the company and its resources from possible risks.
For a major survey see PWC (2013).

Making Shopping Inconvenient


 rotecting Mobile Devices, Networks,
P
Strong EC security may make online shopping inconvenient and Applications
and may slow shopping time as well. Therefore, shoppers may
not like some security measures. With the explosive growth of mobility and m-commerce comes
the task of protecting these systems from the security problems
Lack of Cooperation by Business Partners described earlier in this chapter and from some new ones.

There is a potential lack of cooperation from credit card issu- Mobile Security Issues
ers, suppliers, local and especially foreign ISPs, and other
business partners. If the source ISP would cooperate and sus- Typical security issues range from wireless transmissions not
pend the hacker’s access, it would be very difficult for hack- being encrypted, to lack of firewalls or passwords on mobile
ers to gain access to the systems. devices, or connecting to an unsecured WiFi network.
324 10  E-Commerce Security and Fraud Issues and Protections

Reisinger (2014) lists additional security issues such as policies and measures for EC sites need to address the
data theft and unlocked jailbreaking devices. The prolifera- insider threats. In addition, insiders can be victims of secu-
tion of BYOD also brings threat to the enterprise (see rity crimes. Therefore, companies should educate employ-
Westervelt 2013). ees, especially new hires, about such threats.
3 . What is the key to establishing strong e-commerce
The Defense security? Most discussions about security focus on tech-
nology, with statements like, “all messages should be
To defend mobile systems it is necessary to implement tools encrypted.” Although technologies are important, no secu-
and procedures such as those described in Section 10.6, and rity solution is useful unless it is adopted by the employ-
modify them for the mobile environment. A practical check- ees. Determining business requirements is the first step in
list for reducing security risks is offered by Lenovo (2013). creating a security solution. Business requirements, in
Finally, a major problem is the theft of mobile devices. Two turn, determine information requirements.
solutions are at work: First, automatic security that enables
only the owners to use their devices and, second, make a kill
switch a mandatory feature in all smartphones (scheduled SUMMARY
for 2015). In 2016, this feature was still only available in
California. In this chapter, you learned about the following EC issues as
they relate to the chapter’s learning objectives.

SECTION 10.8  REVIEW QUESTIONS 1. The importance and scope of EC information secu-
rity. For EC to succeed, it must be secure. Unfortunately,
1. If senior management is not committed to EC security, this is not an easy task due to many unintentional and
how might that impact the e-business? intentional hazards. Security incidents and breaches
2. What is a benefit of using the risk exposure method for interrupt EC transactions and increase the cost of doing
EC security planning? business online. Internet design is vulnerable, and the
3. Why should every company implement an acceptable use temptation to commit computer crime is increasing with
policy? the increased applications and volume of EC. Criminals
4. Why is training required? are expanding operations, creating an underground
5. List the major reasons why it is difficult to stop computer economy of valuable information that was stolen. A
crimes. strategy is needed to handle the costly defense technol-
ogy and operation, which includes training, education,
project management, and the ability to enforce security
MANAGERIAL ISSUES policy. EC security will remain an evolving discipline
because threats are changing continuously. Therefore,
Some managerial issues related to this chapter are as e-business needs to adapt. An EC security strategy is
follows. needed to optimize EC security programs for efficiency
and effectiveness.
1. What steps should businesses follow in establishing a 2. Basic EC security issues. The security issue can be
security plan? Security management is an ongoing pro- viewed as a battleground between attackers and attacks
cess involving three phases: asset identification, risk and defenders and defense. There are many variations on
assessment, and implementation. By actively monitoring both sides and many possible collision scenarios. Owners
existing security policies and procedures, companies can of EC sites need to be concerned with multiple security
determine which of them are successful or unsuccessful issues: authentication, verifying the identity of the par-
and, in turn, which should be modified or eliminated. ticipants in a transaction; authorization, ensuring that a
However, it also is important to monitor changes in busi- person or process has access rights to particular systems
ness processes and business environments and adjust the or data; and auditing, being able to determine whether
plans accordingly. In this way, an organization can keep particular actions have been taken and by whom.
its security policies and measures up-to-date. 3. Threats, vulnerabilities, and technical attacks. EC
2. Should organizations be concerned with internal secu- sites are exposed to a wide range of attacks. Attacks may
rity threats? Except for malware, breaches committed by be nontechnical (social engineering), in which a crimi-
insiders may be much more frequent than those done by nal lures people into revealing sensitive personal infor-
outsiders. This is true for both B2C and B2B sites. Security mation. Alternatively, attacks may be technical, whereby
Summary 325

software and systems expertise are used to attack net- 8. Fraud on the Internet and how to protect consumers
works, databases, or programs. DoS attacks bring opera- and sellers against it. Protection is needed because
tions to a halt by sending a flood of data to target specific there is no face-to-face contact between buyers and sell-
computers and websites. Malicious code attacks include ers; there is a great possibility of fraud; there are insuf-
viruses, worms, Trojan horses, or some combination of ficient legal constraints; and new issues and scams
these. Over the past few years, new malware trends have appear constantly. Several organizations, private and
emerged, such as Blackhole and ZeroAccess (see Wang public, attempt to provide the protection needed to build
2013). The new trends include an increase in the speed the trust that is essential for the success of widespread
and volume of new attack methods; and the shorter time EC. Of note are electronic contracts (including digital
between the discovery of a vulnerability and the release signatures), the control of gambling, and what taxes
of an attack (to exploit the vulnerability). Finally, the should be paid to whom on interstate, intrastate, and
new trends include the growing use of bots to launch international transactions. The practice of no sales tax
attacks; an increase in attacks on mobile systems, social on the Internet is changing. States are starting to collect
networks, and Web applications; and a shift to profit-­ sales tax on Internet transactions.
motivated attacks. Many procedures are used to protect consumers. In
4. Internet fraud, phishing, and spam. A large variety of addition to legislation, the FTC tries to educate consum-
Internet crimes exist. Notable are identify theft and mis- ers so they know the major scams. The use of seals on
use, stock market frauds, get-rich-quick scams, and sites (such as TRUSTe) can help, as well as tips and
phishing. Phishing attempts to obtain valuable informa- measures taken by vendors. Sellers can be cheated by
tion from people by masquerading as a trustworthy buyers, by other sellers, or by criminals. Protective mea-
entity. Personal information is extracted from people (or sures include using contacts and encryption (PKI) keep-
stolen) and sold to criminals, who use it to commit ing databases of past criminals, sharing information
financial crimes such as transferring money to their own with other sellers, educating employees, and using arti-
accounts. A related area is the use of unsolicited adver- ficial intelligence software.
tising or sales via spam. Given the large number of ways to commit Internet
5. Information assurance. The information assurance model fraud, it is difficult to protect against all of them. Fraud
represents a process for managing the protection of data protection is done by companies, security vendors, govern-
and computer systems by ensuring their confidentiality, ment regulations, and perhaps most important, ­consumer
integrity, and availability. Confidentiality is the assurance education. Knowing the most common methods used by
of data privacy. Integrity is the assurance that data is accu- criminals is the first step of defense. Remember, most
rate or that a message has not been altered. Availability is criminals are very experienced. They are able to invest
the assurance that access to data, the website, or EC sys- in new and clever attack methods.
tems and applications is available, reliable, and restricted 9. Enterprisewide EC security. EC security procedures are
to authorized users whenever they need it. inconvenient, expensive, tedious, and never ending.
6. Securing EC access control and communications. In Implementing a defensive in-depth model that views EC
EC, issues of communication among trading partners security as a combination of commitment, people, pro-
are paramount. In many cases, EC partners do not know cesses, and technology is essential. An effective program
their counterparts, so they need secured communication starts with senior management’s commitment and budget-
and trust building. Trust starts with the authentication of ing support. This sets the tone that EC security is impor-
the parties involved in a transaction; that is, identifying tant to the organization. Other components are security
the parties in a transaction along with the actions they policies and training. Security procedures must be clearly
are authorized to perform. Authentication can be estab- defined. Positive incentives for compliance can help, and
lished with something one knows (e.g., a password), negative consequences need to be enforced for violations.
something one has (e.g., an entry card), or some physical The last stage is the deployment of hardware and soft-
characteristic (e.g., a fingerprint). Biometric systems can ware tools based on the policies and procedures defined
confirm a person’s identity. Fingerprint scanners, iris scan- by the management team.
ners, facial recognition, and voice recognition are exam- 10. Why is it so difficult to stop computer crimes? Respon-
ples of biometric systems. sibility or blame for cybercrimes can be placed on crimi-
7. The different controls and special defense mechanisms. nals, victimized people, and organizations. Online shoppers
The major controls are general (including physical, access fail to take necessary precautions to avoid becoming vic-
controls, biometrics, administrative controls, application tims. Security system designs and architectures are still
controls, and internal controls for security and compli- incredibly vulnerable. Organizations may fail to exercise
ance). Each type has several variations. due care in business or hiring and practices, opening the
326 10  E-Commerce Security and Fraud Issues and Protections

doors to security attacks. Every EC business knows that Fraud


there are threats of stolen credit cards, data breaches, General controls
phishing, malware, and viruses that never end—and that Hacker
these threats must be addressed comprehensively and Identity theft
strategically. Information assurance (IA)
1 1. The future of EC. EC is growing steadily and rapidly, Information security
expanding to include new products, services, business Integrity
models, and countries. The most notable areas of growth Internet underground economy
are the integration of online and offline commerce, mobile Intrusion detection system (IDS)
commerce (mostly due to smartphone apps), video-based Key (key value)
marketing, and social media and networks. Several emerg- Keystroke logging (keylogging)
ing technologies, ranging from intelligent applications to Macro virus (macro worm)
wearable devices, are facilitating the growth of EC. On the Malware (malicious software)
other hand, several factors are slowing down the spread of Nonrepudiation
EC such as security and privacy concerns, limited band- Penetration test (pen test)
width, and lack of standards in some areas of EC. Phishing
Plaintext
Prevention measures
KEY TERMS Private key
Public key
Access control Public (asymmetric) key encryption
Application controls Public key infrastructure (PKI)
Authentication Risk
Authorization Search engine spam
Availability Social engineering
Banking Trojan Spam
Biometric authentication Spam site
Biometric systems Splog
Botnet Spyware
Business continuity plan Standard of due care
Business impact analysis (BIA) Symmetric (private) key encryption
Certificate authorities (CAs) Trojan horse
CIA security triad (CIA triad) Virtual private network (VPN)
Ciphertext Virus
Computer Fraud and Abuse Act (CFAA) Vulnerability
Confidentiality Vulnerability assessment
Cracker Worm
Cybercrime Zombies
Cybercriminal
Darknet
Data breach DISCUSSION QUESTIONS
Denial-of-service (DoS) attack
Detection measures 1. Consider how a hacker might trick people into divulging
Deterrent methods their user IDs and passwords to their Amazon.com
Digital signature accounts. What are some of the specific ways that a
EC security strategy hacker might accomplish this? What crimes can be per-
Electronic signature formed with such information?
E-mail spam 2. B2C EC sites and social networks continue to experi-
Encryption ence DoS and DDoS attacks. How are these attacks exe-
Encryption algorithm cuted? Why is it so difficult to safeguard against them?
Exposure What are some of the things a site can do to mitigate
Firewall such attacks?
Team Assignments and Projects 327

3. How are botnets, identity theft, DoS attacks, and website 10. Discuss the recent security trends pointed out by Lemos
hijackings perpetrated? Why are they so dangerous to (2016).
e-commerce? 11. Examine the identity theft and identity crime topics

4. Discuss some of the difficulties of eliminating online from the FBI site fbi.gov/about-us/investigate/cyber/
financial fraud. identity_theft. Report the highlights.
5. Enter zvetcobiometrics.com. Discuss the benefits of
these products over other biometrics.
6. Find information about the Zeus Trojan virus. Discuss
INTERNET EXERCISES
why it is so effective at stealing financial data. Why is it
so difficult to protect against this Trojan?
1. Your B2C site has been hacked with a new, innovative
7. Visit the National Vulnerability Database (nvd.nist.gov)
method. List two organizations where you would report
and review 5 recent CVE vulnerabilities. For each vul-
this incident so that they can alert other sites. How do
nerability list its published date, CVSS severity, impact
you do this and what type of information do you have to
type, and the operating system or software with the
provide?
vulnerability.
2. Determine the IP address of your computer by visiting at
8. Report on the status of using biometrics in mobile com-
least two websites that provide that feature. You can use
merce. (Start nxt-id.com.)
a search engine to locate websites or visit ip-adress.com
9. Find several definitions of “information warfare” and
or whatismyipaddress.com. What other information
discuss the major attributes of the definitions.
does the search reveal about your connections? Based on
10. What contribution does TRUSTe make to e-commerce?
this finding, how could a hacker use that information?
3. Conduct a Google search for “Institutional Identity
Theft.” Compare institutional identity theft with per-
 OPICS FOR CLASS DISCUSSION
T sonal identity theft. How can a company protect itself
AND DEBATES against identity theft? Write a report.
4. The Symantec Annual Internet Security Threat Report
1. A business wants to share its customer data with a trad-
provides details about the trends in attacks and vulnera-
ing partner and provide its business customers with
bilities in Internet security. Obtain a copy of the latest
access to marketing data. What types of security compo-
report and summarize the major findings of the report
nents (e.g., firewalls, VPNs) could be used to ensure that
for both attacks and vulnerabilities.
the partners and customers have access to the account
5. Conduct a Google search for examples of underground
information while those who are unauthorized do not?
Internet activities in 5 different countries. Prepare a
What types of network administrative procedures will
summary.
provide the appropriate security?
6. Enter verisign.com (a Symantec company) and find
2. Why is it so difficult to fight computer criminals? What
information about PKI and encryption. Write a report.
strategies can be implemented by financial institutions,
7. Enter hijackthis.com. What is offered in the site? Write
airlines, and other heavy users of EC?
a report.
3. All EC sites share common security threats and vulner-
8. Enter blackhat.com. Find out what the site is about.
abilities. Do you think that B2C websites face different
Describe some of the site’s activities.
threats and vulnerabilities than do B2B sites? Explain.
9. Enter ftc.gov and identify some of the typical types of
4. Why is phishing so difficult to control? What can be
fraud and scams on the Internet. List 10 of them.
done? Discuss.
10. Enter scambusters.org and identify and list its anti-­
5. Debate this statement: “The best strategy is to invest very
fraud and anti-scam activities.
little and only in proven technologies such as encryption
and firewalls.”
6. Debate: Can the underground Internet marketplace be
controlled? Why or why not? TEAM ASSIGNMENTS AND PROJECTS
7. Debate: Is taking your fingerprints or other biometrics to
assure EC security a violation of your privacy? 1. Assignment for the Opening Case
8. Body scans at airports have created controversy. Debate Read the opening case and answer the following ques-
both points of this issue and relate it to EC security. tions:
9. Discuss the issue of providing credit card details on (a) Why did the college have security problems? What
Facebook. Would you do it? types of problems?
328 10  E-Commerce Security and Fraud Issues and Protections

(b) What is the security problem concerning social media user. The overseas user tries to convince the customer to
applications? wire funds, share bank account information, and open
(c) Why was the automation (agent-based) solution unsuc- joint accounts.
cessful? • Letters, postal service, or e-mail. A bank customer is
(d) Why were the computer-use policies ineffective? notified by an e-mail that he or she has won a large amount
(e) What was the problem with the bandwidth? of money (e.g., a sweepstakes). Hackers ask for some pro-
(f) Describe the new security policy. Why does it work? cessing money to release the prize money to the customer.
(g) Discuss the issue of privacy as it applies to this case. • Telephone scams. A customer is asked to provide per-
2. Assign teams to report on the latest major spam and scam sonal information from a government check and receives
threats. Look at examples provided by ftc.gov, the latest repeated telephone calls, each asking for different per-
Symantec report on the State of Spam, and white papers sonal information (e.g., Social Security Number). Phone
from IBM, VeriSign, McAfee, and other security firms. scams usually target elderly customers and depend on the
3. Watch the video “Cyberattacks and Extortion” (13:55 min) social engineer’s ability to develop a rapport with the
at searchsecurity.techtarget.com/video/Cyberattacks-­ customer.
and-­extortion. Answer the following questions: • Cell phone scams. A customer is told that his or her debit
(a) Why are there more extortions online today? How are card has been compromised and the customer is asked to
they accomplished? provide card details for replacement.
(b) What is involved in targeted e-mail attacks?
(c) What is an SQL injection attack? The bank now provides information about social engi-
4. Data leaks can be a major problem. Find some major neering schemes on its website (see bankwest-sd.com/etc.
defense methods. Check some major security vendors htm). Employees direct customers to the site and provide
(e.g., Symantec). Find white papers and Webinars on the information about fraudulent schemes when the customers
subject. Write a report. come into a branch. The bank also instituted an “Employee
5. Each team is assigned one method of fighting against online Rewards Program” (to be described later).
fraud. Each method should involve a different type of fraud It is critical to combat social engineering attempts in
(e.g., in banking). Identify suspicious e-mails, dealing with order to increase customer confidence in Internet security.
cookies in Web browsers, credit card protection, securing According to Kitten (2010), “the bank’s information security
wireless networks, installing anti-phishing protection for team regularly attend workshops and participate in forums
your browser with a phishing filter, and so forth. related to social engineering and other fraud schemes. The
information collected is immediately shared with the staff in
order to keep the entire bank team abreast of new and emerg-
 LOSING CASE: HOW ONE BANK STOPPED
C ing fraud threats. All staff members also are required to com-
SCAMS, SPAMS, AND CYBERCRIMINALS plete online training in scheme detection that is designed by
the bank.”
Some say that as many as 90% of phishers are targeting Also according to Kitten (2010), the training program
financial institutions. Let us see how one bank is protecting includes:
its customers.
• Ability to identify phone scams, especially automated ones
(e.g., vishing attempts) that lure customers into divulging
BankWest of South Dakota (bankwest-sd.com) sensitive information.
• Ability to identify phishing e-mails and use caution when
As a privately owned entity, a bank can disregard short-term clicking on links or opening file attachments.
profit. Instead, a bank provides the utmost in customer care • Conduct monthly training and employee-oriented dem-
and employee educational programs. However, one problem onstrations on face-to-face personal social engineering
is challenging: the increasing number of incidents of social schemes.
engineering experienced by customers. A few examples of
scams that were noticed by the BankWest staff reported by Employee Rewards
Kitten (2010) are:
Employees who identify scams are rewarded with certifi-
• Sweetheart schemes. There may be long-term online cates and small monetary rewards; their manager is notified
relationship between a bank’s customer and an overseas and employees can take pride in the acknowledgement.
References 329

The Results Cluley, G. “Phishing and Diet Spam Attacks Hit Twitter Users.” Cluley
Associates Limited, January 9, 2014. grahamcluley.com/2014/01/
phishing-diet-spam-attacks-hit-twitter-users (accessed April 2016).
According to the bank’s information security administrator, Constantin, L. “Identity Thieves Obtain 100,000 Electronic Filing PINs
although the number of schemes has not decreased, the num- from IRS System.” IDG News Service, February 10, 2016.
ber of employees reporting such schemes has increased CyberSource. 14th Annual 2013 Online Fraud Report, CyberSource
significantly. Corporation (2013).
Dawn Ontario. “Virus Information: Guide to Computer Viruses.” n.d.
To read BankWest’s tips on how to protect yourself Dog Breed Info Center. “Examples of Scam E-Mails.” n.d. dogbreed-
against identity theft, phishing, and so forth, see bankwest- info.com/internetfraud/scamemailexamples.htm (accessed April
­sd.com/etc.htm. 2016).
Sources: Based on Kitten (2010) and BankWest (2016). EMC/RSA. “2013 A Year in Review.” Report # JAN RPT 0114, January
2014. emc.com/collateral/fraud-report/rsa-online-fraud-­report-
012014.pdf (accessed April 2016).
Questions Fink, E. “Google Glass Wearers Can Steal Your Password.” CNN News,
1. List the major security problems faced by BankWest and July7,2014.money.cnn.com/2014/07/07/technology/security/google-
glass-password-hack (accessed May 2016).
relate them to the attack methods described in Sections Finkle, J. “‘Pony’ Botnet Steals Bitcoins, Digital Currencies:
10.2, 10.3, and 10.4. Trustwave.” Reuters.com US Edition, February 24, 2014. reuters.
2. In what ways is BankWest helping to stop scams before com/article/2014/02/24/us-bitcoin-security-­i dUSBREA1N1
they cause damage? JO20140224 (accessed April 2016).
Forrest, C. “Phishing Gets More Dangerous: New Report Analyzes the
3. Given the problems of BankWest and its solutions, can Weapons of Choice.” TechRepublic, January 27, 2016.
you suggest an even better defense mechanism? Frenkel, K. A. “2016 Has the Markings of a Perfect Storm for Fraud.”
CIO Insight, January 28, 2016.
Goldman, D. “Hacker Hits on U.S. Power and Nuclear Targets Spiked
in 2012.” January 9, 2013. money.cnn.com/2013/01/09/technol-
ONLINE FILES ogy/security/infrastructure-cyberattacks (accessed April 2016).
Goldman, J. “Data Breach Roundup: January 2014.” February 14,
Available at ecommerce-introduction-textbook.com 2014a.esecurityplanet.com/network-security/data-breach-­roundup-
january-2014.html (accessed April 2016).
W10.1 Application Case: How Seattle’s Hospital Survived a Goldman, D. “Take Down Any Website for $3.” CNN News, December
Bot Attack. 31, 2014b. money.cnn.com/2014/12/31/technology/lizard-squad-­
attack (accessed April 2016).
Goodchild, J. “Policy-Based Security and Access Control.” April 5,
2011. csoonline.com/article/2128022/mobile-security/case-stud-
References -olicy-based-security-and-access-control.html (accessed April
2016).
Alto, P. “Infographic: The Real Cost of Cyberattacks.” Enterprise Goodman, M. Future Crimes: Inside the Digital Underground and the
Innovation, March 21, 2016. Battle for our Connected World. New York: Anchor Reprint, 2016.
Andress, J. The Basics of Information Security, Second Edition: Greengard, S. “Breaches of Health Care Data: A Growing Epidemic.”
Understanding the Fundamentals of InfoSec in Theory and Practice. Baseline, February 12, 2016.
Rockham, MA: Syngress Pub., 2014. Harrison, V., and J. Pagliery. “Nearly 1 Million New Malware Threats
Apps, P., and J. Finkle. “Suspected Russian Spyware Turla Targets Released Everyday.” CNN News, April 14, 2015.
Europe, United States.” Reuters.com U.S. Edition, March 7, 2014. Harwood, M. Internet Security: How to Defend Against Attackers on
reuters.com/article/2014/03/07/us-russia-cyberespionage-­ the Web (Jones & Bartlett Learning Information Systems Security &
insight-idUSBREA260YI20140307 (accessed April 2016). Assurance), 2nd edition. Burlington, MA: John Bartlett Learning,
BankWest. “About Us.” bankwest-sd.com/about.htm (accessed April 2015.
2016). Hinckley, S. “Pay by Selfie? Amazon Says Your Portrait Can Protect
Bort, J. “For the First Time, Hackers Have Used a Refrigerator to Attack Online Purchases.” CSMonitor, March 15, 2016.
Businesses.” Business Insider, January 16, 2014. Horowitz, D., and A. Horowitz. “Online Merchandise Scams Target
Cannell, J. “Cryptolocker Ransomware: What You Need to Know.” Students.” The Costco Connection, December 2015.
October 8, 2013. blog.malwarebytes.org/intelligence/2013/10/ Jennings, R. “This Hollywood Hospital Didn’t Backup Its Data?
cryptolocker-ransom (accessed April 2016). “Ransomware” Payday for Evil Hackers.” Computerworld, February
Casti, T. “Phishing Scam Targeting Netflix May Trick You With Phony 18, 2016.
Customer Service Reps.” The Huffington Post Tech, March 3, 2014a. John, A. Internet Security. Publisher: Self-Publishing, 2016.
huffingtonpost.com/2014/03/03/netflix-phishing-scam-­ Jones, M. “Facebook Tests Tool that Identifies Fake Accounts.” Value
customer-support_n_4892048.html (accessed April 2016). Walk, March 24, 2016.
Casti, T. “Scammers are Targeting Netflix Users Again, Preying on Kaiser, T. “Hackers Use Refrigerator, Other Devices to Send 750,000
the Most Trusting among Us.” The Huffington Post Tech, April 17, Spam Emails.” January 17, 2014. dailytech.com/Hackers+Use+Re
2014b. huffingtonpost.com/2014/04/17/netflix-comcast-­phishing- frigerator+Other+Devices+to+Send+750000+Spam+Emails+/
­_n_5161680.html (accessed April 2016). article34161.htm (accessed April 2016).
Cloud, J. Internet Security: Online Protection from Computer Hacking. Kan, M. “Alibaba Uses Facial Recognition Tech for Online Payments.”
North Charleston, USA: CreateSpace Publishing Platform, 2015. Computer World, March 16, 2015.
330 10  E-Commerce Security and Fraud Issues and Protections

Katz, O. “Analyzing a Malicious Botnet Attack Campaign through the Scott, W. Information Security 249 Success Secrets- 249 Most Asked
Security Big Data Prism.” January 6, 2014. blogs.akamai. Questions on Information Security- What You Need to Know.
com/2014/01/analyzing-a-malicious-botnet-attack-campaign- Brisbane, Queensland, Australia: Emereo Publishing, 2014.
through-the-security-big-data-prism.html (accessed April 2016). Singer, P. W., and A. Friedman. Cybersecurity and Cyberwar: What
Kavilanz, P. “Cyberattacks Devastated My Business!” (Last updated Everyone Needs to Know. 1st Edition, New York: Oxford University
May 28, 2013). money.cnn.com/gallery/smallbusiness/2013/05/28/ Press, 2014.
cybercrime/index.html?iid=Lead (accessed April 2016). Smith, C. “It Turns Out Target Could Have Easily Prevented Its Massive
Kitten, T. “Case Study: How to Stop Scams.” July 14, 2010. bankinfos- Security Breach.” March 13, 2014. bgr.com/2014/03/13/target-­
ecurity.com/case-study-how-to-stop-scams-a-2748 (accessed data-­hack-how-it-happened (accessed April 2016).
April 2016). Smith, R. Elementary Information Security, 2nd edition. Burlington,
Kravets, D. “How China’s Army Hacked America.” May 19, 2014 MA: Jones Bartlett, 2015.
arstechnica.com/tech-policy/2014/05/how-chinas-army-hacked- SUNY College at Old Westbury. “Website Privacy Policy Statement.”
american-­companies (accessed June 2014). 2014. oldwestbury.edu/policies/website-privacy-policy-­statement
Lawinski, J. “Security Slideshow: Malicious Attacks Skyrocket as (accessed May 2016).
Hackers Explore New Targets.” CIO Insight, May 7, 2012. Swann, C. T. Marlins Cry a Phishing Story. Spokane, WA: Cutting
Lemos, R. “Phishing Attacks Continue to Sneak Past Defenses.” eWeek, Edge Communications, Inc., 2012.
February 11, 2016. Symantec. “Infographic: The State of Financial Trojans 2013.” Updated
Lenovo. “Lenovo Recommends 15 Steps to Reducing Security Risks in January 8, 2014. symantec.com/connect/blogs/state-financial-­
Enterprise Mobility.” White Paper, August 2013. Available for trojans-2013 (accessed April 2016).
download in.pdf format at techrepublic.com/resource-library/ Symantec. “Web-Based Attacks.” White paper, #20016955, February
whitepapers/lenovo-recommends-15-steps-to-reducing- 2009. symantec.com/content/en/us/enterprise/media/security_
security-­risks-in-enterprise-mobility/post (accessed April 2016). response/whitepapers/web_based_attacks_02-2009.pdf
Maxwell, D. Hacking: Bootcamp—How to Hack Computers, Basic (accessed April 2016).
Security and Penetration Testing (Hacking The Common Core). TechRepublic Staff. “The 15 Most Frightening Data Breaches.”
[Kindle Edition] Seattle, WA: Amazon Digital Services, 2016. TechRepublic, October 29, 2015.
Nakashima, E., and M. Zapotosky. “U.S. Charges Iran-Linked Hackers Teo, F. “Monitoring Your Internal Network with Intelligent Firewalls.”
with Targeting Banks, N.Y. Dam.” The Washington Post, March 24, Enterprise Innovation, January 18, 2016.
2016. Timberg, C. “Foreign Regimes Use Spyware against Journalists, Even
Pagliery, J. “Drug Site Silk Road Wiped Out by Bitcoin Glitch.” CNN in U.S.” February 12, 2014. washingtonpost.com/business/tech-
Money, February 14, 2014a. money.cnn.com/2014/02/14/technol- nology/foreign-regimes-use-spyware-against-journalists-even-­
ogy/security/silk-road-bitcoin (accessed April 2016). in-­us/2014/02/12/9501a20e-9043-11e3-84e1-27626c5ef5fb_story.
Pagliery, J. “Your Car Is a Giant Computer- and It Can Be Hacked.” html (accessed April 2016).
CNN Money, June 2, 2014b. Troinovski, A. “German Parliament Struggles to Purge Hackers from
Pontrioli, S. “Social Engineering, Hacking the Human OS.” December Computer Network.” The Wall Street Journal, June 12, 2015.
20, 2013. blog.kaspersky.com/social-engineering-hacking-the- Van Allen, F. “The 18 Scariest Computer Viruses of All Time.”
human-­os (accessed April 2016). TechRepublic, January 22, 2016.
PWC. “Key Findings from the 2013 US State of Cybercrime Survey.” Victor, D. “Authorities Shut Down Darkode, a Marketplace for Stolen
June 2013. pwc.com/en_US/us/increasing-it-effectiveness/publi- Personal Data.” New York Times, July 15, 2015.
cations/assets/us-state-of-cybercrime.pdf (accessed April 2016). Wagstaff, K. “Why Is the U.S. Going After Chinese Hackers? Jobs?”
Reisinger, D. “10 Mobile Security Issues that Should Worry You.” NBC News, May 19, 2014.
eWeek, February 11, 2014. Wang, R. “Malware B-Z: Inside the Threat from Blackhole to Zero
Reuters. “Malware Suspected in Bangladesh Bank Heist.” Fortune.com, Access.” A Sophos White Paper, Sophos Ltd., January 2013.
March 12, 2016. fortune.com/2016/03/12/malware-bangladesh-­ sophos.com/en-us/medialibrary/Gated%20Assets/white%20
bank-heist (accessed April 2016). papers/sophos_from_blackhole_to_zeroaccess_wpna.pdf
Russell, K. “Here’s How to Protect Yourself from the Massive Security (accessed April 2016).
Flaw That’s Taken over the Internet.” Business Insider, April 8, 2014. Westervelt, R. “Top 10 BYOD Risks Facing the Enterprise.” July 26,
Schwartz, M. J. “Target Breach: Phishing Attack Implicated.” 2013. crn.com/slide-shows/security/240157796/top-10-byod-­risks-
Information Week Dark Reading, February 13, 2014. darkreading. facing-the-enterprise.htm (accessed April 2016).
com/attacks-and-breaches/target-breach-phishing-attack- Winton, R. “Hollywood Hospital Pays $17,000 in Bitcoin to Hackers:
implicated/d/d-id/1113829 (accessed April 2016). FBI Investigation.” Los Angeles Times, February 18, 2016.
Scott, J. Cybersecurity 101: What You Absolutely Must Know!- Volume Wollen, J. “10 Social Engineering Exploits Your Users Should Be
1: Learn to be Pwned, Thwart Spear Phishing and Zero Day Aware Of.” TechRepublic, January 27, 2016.
Exploits, Cloud Security Basics and Much More. [Kindle Edition] Yan, S. “Chinese Man Admits to Cyber Spying on Boeing and Other
Seattle, WA: Amazon Digital Services, 2016a. U.S. Firms.” Money CNN News, March 24, 2016.
Scott, J. Cybersecurity 101: What You Absolutely Must Know!- Volume Yadron, D. “Newest Hacker Target: Ads.” The Wall Street Journal
2: Learn JavaScript Threat Basics, USB Attacks, Easy Steps to Tech, January 31, 2014. online.wsj.com/news/articles/SB1000142
Strong Cybersecurity, Defense Against Cookie Vulnerabilities, and 4052702303743604579350654103483462 (accessed April 2016).
Much More! [Kindle Edition] Seattle, WA: Amazon Digital
Services, 2016b.

You might also like