Study Of Attacks On E Commerce Systems Computer Science Essay Example

million [3]. Most of these fraudulent acts took place on the internet or similar online platforms.

The concern and obstacle of security in e-commerce continue to affect every company. The ongoing battle against security threats and vulnerabilities is crucial [5]. A robust security infrastructure directly enhances the productivity of a company. This paper will present an overview of e-commerce and its various types in the first section, followed by an examination of concerns, threats, and vulnerabilities regarding security in the second section. The last section will address multiple defense mechanisms employed to protect e-commerce security, which remains paramount for businesses.

E-commerce Background

The use of information and communication technology in businesses has become increasingly important. This has led to the transformation of traditional business practices into a new way of conducting business called Electronic Commerce (E-Commerce) or Electronic Business (E-Business) [12]. E-commerce refers to buying and selling products or services over the World Wide Web, which is a part of the internet. According to Verisign [2004], electronic commerce is seen as a crucial strategy for competitive organizations today as it helps them discover new sources of revenue, enter new markets, reduce costs, and develop innovative business strategies.

E-commerce covers a range of electronic transactions, including online trading, stock trading, banking, hotel booking, and purchasing airline tickets [2]. There are three main types of e-commerce based on the nature of business transactions:

• B2B (business to business)
• B2C (business to consumer)
• C2C (consumer to consumer) [4]

B2B e-commerce refers to commerce transactions between businesses that involve interactions among companies, manufacturers and wholesalers,

and wholesalers and retailers [16]. In B2B e-commerce, there are four primary roles: suppliers, buyers, market-makers, and web service providers. Each company or business can perform one or more of these roles [9].

According to the Queensland government's Department of State Development and Innovation [2001], B2B transactions account for 94% of all e-commerce transactions. Notable companies such as IBM, Hewlett Packard (HP), Cisco, and Dell serve as prime examples in the field of B2B commerce.

On the other hand, B2C e-commerce refers to commerce between companies and consumers. In this type of commerce, businesses directly sell physical goods (such as books, DVDs, consumer products) or information goods (digitized content like software, music, movies, or e-books) to consumers [10]. Consumers typically utilize the web for ordering physical or information goods in B2C transactions [8]. For instance, purchasing a book from Amazon.com would be classified as a B2C transaction.

eMarketer predicts that the revenue of B2C e-commerce will increase from US$59.7 billion in 2000 to US$428.1 billion by 2004 [10]. C2C e-commerce involves business transactions between private individuals or consumers on the Internet and World Wide Web. With C2C, customers have the ability to directly advertise and sell goods or products to other consumers. eBay.com is a well-known example of C2C as it operates as an online auction platform where customers can sell various items to one another [6]. Limited information regarding the global size of C2C e-commerce currently exists [10].

Figure 2 depicts various aspects of the aforementioned e-commerce business.

Security Threats to E-commerce

Security in e-commerce encompasses three fundamental principles: confidentiality, integrity, and availability. Confidentiality guarantees that only authorized individuals can access information, while unauthorized individuals are denied access. Integrity ensures

that data stored on devices or transferred during communication remain unaltered by malicious users. Availability ensures that information is accessible when required [16]. Security is of utmost significance in the realm of e-commerce.

The number of online transactions has significantly increased, leading to a corresponding rise in attacks against e-commerce security [13]. A threat is defined as the potential to exploit a weakness and result in unauthorized access or use, disclosure of information, theft or destruction of resources, or disruption or modification [8]. The e-commerce environment consists of shoppers who order and purchase products or services, merchants who offer products or services, the software (website) installed on the merchant's server and the server itself, and attackers who pose a dangerous threat within the network.

Considering these parties involved in the network, it becomes evident that malicious hackers pose a significant threat. They are the most dangerous part of the network and can exploit weaknesses resulting in substantial financial losses for businesses. Figure 3 provides an overview of methods used by hackers in an e-commerce network [11]. To ensure secure electronic commerce within this network, various assets must be protected. These include client (shopper) computers or the client-side, transactions transmitted through the communication channel, the website on the server, and the merchant's server - including any attached hardware on it (server-side).

To ensure e-commerce security, it is crucial to protect communication channels and address both client-side and server-side security concerns [1, 2]. Client-side security is vital for users, while server-side security is a major concern for service providers. Implementing security measures on both sides is important to prevent insecure information transmission. Figure 3 shows various methods that attackers or

hackers can use to target an e-commerce network.

In the upcoming section, we will explore various techniques that can be employed for security breaches.

Types of Attacks

This segment presents a summary and explanation of diverse attacks that can occur within an e-commerce platform, taking into account ethical considerations. From the viewpoint of an assailant, several activities can be executed without the shopper's knowledge.

The attacker's goal is to obtain all the information transmitted within the network flow, starting from when the buyer clicks on the "buy" button until receiving a response from the website server. Moreover, discreet and ethical infiltration into the application system is attempted by the attacker. Numerous attacks targeting ecommerce are explored, including social engineering techniques that deceive shoppers and exploit their behavior and information for malicious intents. There exist several approaches to accomplish this.

The act of impersonating an employee from a shopping site and contacting a shopper allows an attacker to gather information about the individual. This can then be used to pose as the shopper and request user data, like resetting their password. It is a frequently encountered situation. Alternatively, personal details like date of birth, mother's maiden name, or favorite movie can be utilized to reset a password. If this information is exposed by a shopping website, it makes retrieving the password simpler.

Phishing schemes, a frequently employed technique in today's internet, are used to acquire personal information. These schemes utilize deceptive websites that closely resemble legitimate ones, making it challenging for users to differentiate between them. For example, www.microsoft.com/shop and www.micorsoft.com/shop differ only by the switch of 'r' and 'o'. If a user mistakenly enters the fraudulent shop instead of the

authentic one, they may unwittingly disclose confidential information by completing login forms and password fields.

Attackers may send the mistyped URL through email, pretending to be a legitimate shop, with the intention of tricking the buyer [11, 15]. Furthermore, they know that it is feasible to guess a shopper's password, but this would necessitate details like birthday, age, last name, etc.

Many internet users opt for using personal information as their passwords due to the ease of remembering them. Nevertheless, attackers face considerable challenges in developing software capable of guessing these passwords. A prevalent technique employed by attackers is the dictionary attack, which involves utilizing words from a dictionary as potential passwords. Another method is to analyze statistics to identify the most frequently used passwords globally [15]. Alternatively, attackers may choose to focus on compromising the workstation where the website is hosted.

In order to obtain entry into a workstation, the attacker needs to be knowledgeable about its weaknesses since all workstations possess vulnerabilities. Even if the system appears flawless, it still has vulnerabilities. Consequently, through these vulnerabilities, the attacker can achieve root access to the workstation. The initial step for the attacker involves identifying which ports are open on the workstation by utilizing their own applications or pre-existing ones. Once they have gained entry into the system, they can proceed to scan the workstation in search of information pertaining to shoppers such as their IDs, passwords, or other confidential data. An alternative method available to attackers is network sniffing which takes place when a shopper visits a shopping website and conducts a transaction.

The act of sniffing refers to the capturing of data between a client and server.

This involves an attacker utilizing different applications to trace all the exchanged data. Furthermore, network communication distinguishes itself from human communication in that it entails the division of data into "data packages" before transmission between parties. In contrast, human communication may involve eavesdropping by a third person during conversation.

The network's remaining portion will gather the mentioned packages and reassemble them into the initial transmitted data for reading. Typically, the intruder aims to be near either the shopper's website or the shopper themselves in order to intercept information. If they position themselves midway between the shopper and the website, they can potentially acquire all of the information (data packages). To demonstrate this, let's consider a situation where a Norwegian local shopper desires to buy an item from a webshop located in the United States of America.

The shopper's personal information data will be fragmented and sent to a server in the USA, passing through France, Holland, and Spain. This process ensures that if an attacker is present in any of these intermediary locations, they may not obtain all the information. Additionally, even if the attacker does succeed in accessing the data, comprehensively analyzing and retrieving significant information might prove challenging.

Attackers constantly attempt to approach the source or destination point, whether it is on the client side or server side. As a result, the known bug attack is frequently employed on both shopping sites and webpages. By utilizing existing tools, attackers can identify the software being used by the target server. They can then search for patches specific to that software and assess which bugs have not been resolved by administrators. Once unfixed bugs are detected, attackers exploit

them in order to compromise the system [11].

Aside from the aforementioned attacks, ecommerce applications are vulnerable to various types of attacks. An example is a Denial of Service (DOS) attack, where servers are disrupted and critical information is retrieved by employing different techniques. Another well-known attack is the buffer overflow attack, which takes advantage of root access to acquire personal data by creating a separate buffer and transferring overflowing information into it.

Some attackers exploit vulnerabilities in the HTML code, potentially extracting sensitive information if the code is poorly structured or optimized. Java, Javascript, and ActiveX exports are often used as applets in HTML, and attackers may manipulate these to implant a worm into a computer and steal confidential data.

Defense

In response to each new real-world attack, it is necessary to develop new defense mechanisms that safeguard society from unexpected threats. This section discusses various defense strategies to protect against the attacks described earlier.

The main focus of an ecommerce application from a seller's perspective is to safeguard all information. This can be achieved through various methods. Educating users is one such approach to mitigate fraudulent attacks. However, educating all shoppers requires significant time and effort, as many customers are still vulnerable to common social engineering tactics. Therefore, merchants must consistently emphasize the importance of using secure passwords to protect their identity.

It is crucial to use different passwords for various websites and securely save them. Additionally, it is vital to refrain from sharing information through phone conversations, emails, or online platforms.

When creating a password, customers must avoid using personal details such as birthdays or children's names. Instead, a strong password should be employed, which can have various interpretations.

For

instance, password length and the inclusion of special characters are important factors. If a user is unable to create a strong password, there are numerous websites that offer strong passwords. When registering on a website with personal information, a cookie is stored on the computer so that the information does not need to be entered again during the next login. However, this can be advantageous for attackers, which is why it is suggested to disable the use of cookies in the browser [11]. To safeguard the user's computer, a personal firewall can be employed.

The purpose of the firewall is to regulate both incoming and outgoing traffic to the computer from the outside. It also includes an intrusion detection system to prevent unauthorized access, modification, or disabling of the computer. Therefore, it is advisable for shoppers to have a firewall installed on their PCs.

It is important to update the firewall because bugs may occur. Encryption and decryption is a process where traffic is encrypted when it is sent from the client and decrypted when received by the server. This makes it harder for attackers to access confidential information. Encryption can be done using symmetric-key or asymmetric key algorithms.

Digital Signatures, like hand signatures, verify two important things: whether the data comes from the original client and if the message has been modified from when it was sent to when it was received. This is beneficial for ecommerce systems [11]. However, digital signatures alone cannot address the issue of attackers spoofing shoppers with a false website (man-in-the-middle attack) to obtain shopper information. To solve this problem, digital certificates are used.

The likelihood of the shopper accepting the legality of

the website is quite high, as it is endorsed by a trusted third party. However, it's important to note that a digital certificate does not have perpetual trust. It is crucial for individuals to check if the certificate is still valid [11].

Additionally, there is a distinction between personal firewall and server firewall. A server firewall is a more advanced program that utilizes demilitarized zone techniques (DMZ) [11]. Furthermore, employing a honey pot server is also an option [11].

These were just a few of the prevention methods used in the real world. It's crucial for users to be aware of these methods and for administrators to regularly update patches for all applications used in order to enhance system protection against attacks. Another important defense strategy is analyzing and monitoring security logs to identify any suspicious activity. Therefore, administrators should frequently review their logs and understand which areas have been targeted, allowing them to update their system accordingly.

Conclusion

In this paper, we provided an overview of e-commerce and its applications, but our main focus was on presenting the security issues and potential attacks that can occur within e-commerce. Additionally, we discussed several defense mechanisms that can be employed to safeguard e-commerce against these attacks.

E-commerce has shown its effectiveness in reducing costs for both shoppers and merchants. However, e-commerce security remains a challenge and a major concern for all participants in e-commerce. This includes not only technical administrators but also merchants, shoppers, and service providers. Despite the availability of various technologies and mechanisms such as user IDs and passwords, firewalls, SSL, and digital certificates to protect e-commerce, it is important to remain vigilant and prepared for any potential attacks

that may occur.