E-COMMERCE SECURITY THREATS
Electronic commerce is concerned with distributing, buying, selling, marketing and servicing products and service through electronic communication systems like Internet, extranets, e-books, e-mails, mobile phones, databases, and other computer systems. As the Internet security is a critical facet of e-commerce whereas consumers who shop online need to be reassured that their transactions are secure and their credit information is safe, the current essay intends to point out security threats of e-commerce.
Business to Consumers e-commerce (B2C e-commerce) involves at least four main points that can be threatened by a hacker. These are: the online consumer, the consumer’s computer, the network connection between the consumer and the server of the merchant’s Web site and the server of the merchant’s Web site. Security threats are actually possible security attacks against B2C e-commerce system and can undermine its availability, integrity and confidentiality. Availability refers to authorized access to resources of an e-commerce system and integrity implies absence of modification of data while the latter flow from the sender to the receiver. Confidentiality implies that only authorized people involved in an e-commerce transaction can read protected information.
Security threats against the online consumer
The possible attacks from a hacker can aim at tricking an online consumer to make the latter believe that he/she is the merchant that consumer was looking for. To achieve his/her goal, a hacker can use social engineering techniques that imply surveillance of the online consumer’s behavior and collecting information to use against that consumer.
In his article “Social engineering: 3 examples of human hacking”, posted on http://www.csoonline.com/article/663329/social-engineering-3-examples-of- human-hacking, accessed on July 25, 2011 at 7:00 p.m GMT, Joan Goodchild highlights the remarkable talents of a social engineering expert named Chris Hadnagy who was hired as a social engineering auditor to access the servers of a printing company that had many competitors. Even if in the beginning the Chief Executive Office of that company stated that hacking him would be hardly possible, Hadnagy managed to achieve his objective by using subtle tactics that can also be used by hackers against an online consumer.
First of all Hadnagy collected information so as to get to know where the servers were located, IP and e-mail addresses, mail servers, physical addresses, the names and job titles of employees, etc. He also got to know that CEO had a member of his family who had battled cancer and lived and that by that fact, he was committed in cancer fundraising and research. Via Facebook, he got other
E-Commerce Security Threats
personal information about the CEO like his favorite restaurant and sports team. With all that information, he contacted the CEO by presenting himself as a fundraiser from a cancer charity organization the CEO had had relations with in the past. Hadnagy told him that they were planning a prize drawing to be exchanged for donations with the prizes including tickets to a game to be played by his beloved sports team as well as gift certificates to a great deal of restaurants including his favorite spot. Thus, Hadnagy proposed the CEO to send him a PDF with more details on the fund drive and the CEO agreed and even disclosed to Hadnagy which version of Adobe reader he was using just because Hadnagy told him that he wanted to make sure that he was sending him a PDF document that he could read. Soon after Hadnagy sent the PDF and the CEO opened it installing at the same time a shell that permitted Hadnany to access his machine. Thus, the PDF became like the Trojan Horse used by Greeks as a stratagem to enter finally the City of Troy.
Likewise, once a hacker has gotten basic information about a given online consumer, he/she can call that online consumer pretending to be a representative from a site visited (a merchant’s website) and by that way he/she will get information that he/she will use to pose as the online consumer and to provide stolen personal information to the customer service representative at the merchant’s website in order to ask the customer service to reset the password to a specific value. That will help him/her achieve his/her dishonest objectives.
Another way an online consumer can be attacked through social engineering is about phishing schemes whereby a hacker plays on the names of famous merchants’ websites in order to collect authentication and information registration. For example, http://www.toshibadirect.com/td/b2c/home.to is registered by the hacker as http://www.tozhibadirect.com/td/b2c/home.to. The online consumer mistypes and enters the forged site and provides confidential information and the attacker will manage to send e-mails that will took as they came from the legitimate site. Thus, the link inside the e-mail will map to the forged site that will collect the needed information.
A hacker can also impersonate a legitimate merchant’s website by sending e- mails to online consumers getting them think that those e-mails come from a legitimate online merchant asking them to go to a specific website (a rogue website) to update their account information.
Thus, in order to reassure online consumers, governments and online merchants would need to sensitize and to educate the online consumers about possible phishing schemes and other social engineering attacks.