5.

1 Understand the scope of e-commerce crime and security problems, the key dimensions
of e-commerce security, and the tension between security and other values.
Cybercrime against e-commerce sites is growing rapidly, the amount of losses is growing, and
the management of e-commerce sites must prepare for a variety of criminal assaults.
There are six key dimensions to e-commerce security: integrity, nonrepudiation, authenticity,
confidentiality, privacy, and availability.
Although computer security is considered necessary to protect e-commerce activities, it is not
without a downside. Two major areas where there are tensions between security and website
operations are:
1. Ease of use—The more security measures that are added to an e-commerce site, the more
difficult it is to use and the slower the site becomes, hampering ease of use. Security is purchased
at the price of slowing down processors and adding significantly to data storage demands. Too
much security can harm profitability, while not enough can potentially put a company out of
business.
2. Public safety—There is a tension between the claims of individuals to act anonymously and
the needs of public officials to maintain public safety that can be threatened by criminals or
terrorists.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 1

5.2 Identify the key security threats in the e-commerce environment.
The most common and most damaging forms of security threats to e-commerce sites
include:
1. Malicious code—viruses, worms, Trojan horses, ransomware, and bot networks are a threat to
a system’s integrity and continued operation, often changing how a system functions or altering
documents created on the system.
2. Potentially unwanted programs (adware, spyware, etc.)—a kind of security threat that arises
when programs are surreptitiously installed on your computer or computer network without your
consent.
3. Phishing—any deceptive, online attempt by a third party to obtain confidential information for
financial gain.
4. Hacking and cybervandalism—intentionally disrupting, defacing, or even destroying a site.
5. Credit card fraud/theft—one of the most-feared occurrences and one of the main reasons more
consumers do not participate in e-commerce.
The most common cause of credit card fraud is a lost or stolen card that is used by someone else,
followed by employee theft of customer numbers and stolen identities
(criminals applying for credit cards using false identities).
6. Identity fraud—involves the unauthorized use of another person’s personal data, such as social
security, driver’s license, and/or credit card numbers, as well as user names and passwords, for
illegal financial benefit.
7. Spoofing—occurs when hackers attempt to hide their true identities or misrepresent
themselves by using fake e-mail addresses or masquerading as someone else.
8. Pharming—involves redirecting a web link to an address different from the intended one, with
the site masquerading as the intended destination.
9. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks—hackers flood a
website with useless traffic to inundate and overwhelm the network, frequently causing it to shut
down and damaging a site’s reputation and customer relationships.
10. Sniffing—a type of eavesdropping program that monitors information traveling over a
network, enabling hackers to steal proprietary information from anywhere on a network,
including e-mail messages, company files, and confidential reports. The threat of sniffing is that
confidential or personal information will be made public.
11. Insider jobs—although the bulk of Internet security efforts are focused on keeping outsiders
out, the biggest threat is from employees who have access to sensitive information and
procedures.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 2

12. Poorly designed server and client software—the increase in complexity and size of software
programs has contributed to an increase in software flaws or vulnerabilities that hackers can
exploit.
13. Social network security issues—malicious code, PUPs, phishing, data breaches, identity
fraud, and other e-commerce security threats have all infiltrated social networks.
14. Mobile platform security issues—the mobile platform presents an alluring target for hackers
and cybercriminals, and faces all the same risks as other Internet devices, as well as new risks
associated with wireless network security.
15. Cloud security issues—as devices, identities, and data become more and more intertwined in
the cloud, safeguarding data in the cloud becomes a major concern.

5.3 Describe how technology helps secure Internet communications channels and protect
networks, servers, and clients.
Encryption is the process of transforming plain text or data into cipher text that cannot be read
by anyone other than the sender and the receiver.
Encryption can provide four of the six key dimensions of e-commerce security: message
integrity, nonrepudiation, authentication, and confidentiality.
There are a variety of different forms of encryption technology currently in use. They include:
1. Symmetric key cryptography—Both the sender and the receiver use the same key to encrypt
and decrypt a message.
2. Public key cryptography—Two mathematically related digital keys are used: a public key and
a private key.
The private key is kept secret by the owner, and the public key is widely disseminated. Both keys
can be used to encrypt and decrypt a message. Once the keys are used to encrypt a message, the
same keys cannot be used to unencrypt the message.
3. Public key cryptography using digital signatures and hash digests—This method uses a
mathematical algorithm called a hash function to produce a fixed-length number called a hash
digest.
4. Digital envelope—This method uses symmetric cryptography to encrypt and decrypt the
document, but public key cryptography to encrypt and send the symmetric key.
5. Digital certificates and public key infrastructure—This method relies on certification
authorities who issue, verify, and guarantee digital certificates (a digital document that contains
the name of the subject or company, the subject’s public key, a digital certificate serial number,
an expiration date, an issuance date, the digital signature of the certification authority, and other
identifying information).

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 3

• In addition to encryption, there are several other tools that are used to secure Internet channels
of communication, including: Secure Sockets Layer (SSL)/Transport Layer Security (TLS),
virtual private networks (VPNs), and wireless security standards such as WPA2.

5.4 Appreciate the importance of policies, procedures, and laws in creating security.
In order to minimize security threats, e-commerce firms must develop a coherent corporate
policy that takes into account the nature of the risks, the information assets that need protecting,
and the procedures and technologies required to address the risk, as well as implementation and
auditing mechanisms.
Public laws and active enforcement of cybercrime statutes also are required to both raise the
costs of illegal behavior on the Internet and guard against corporate abuse of information.
The key steps in developing a security plan are:
1. Perform a risk assessment—an assessment of the risks and points of vulnerability.
2. Develop a security policy—a set of statements prioritizing the information risks, identifying
acceptable risk targets, and identifying the mechanisms for achieving these targets.
3. Create an implementation plan—a plan that determines how you will translate the levels of
acceptable risk into a set of tools, technologies, policies, and procedures.
4. Create a security team—the individuals who will be responsible for ongoing maintenance,
audits, and improvements.
5. Perform periodic security audits—routine reviews of access logs and any unusual patterns of
activity.

5.5 Identify the major e-commerce payment systems in use today.

The major types of e-commerce payment systems in use today include:
1. Online credit card transactions, which are the primary form of online payment system. There
are five parties involved in an online credit card purchase: consumer, merchant, clearinghouse,
merchant bank (sometimes called the “acquiring bank”), and the consumer’s card-issuing bank.
2. PayPal, which is an example of an alternative payment system that permits consumers to make
instant, online payments to merchants and other individuals based on value stored in an online
account. Other examples include Amazon Pay, Visa Checkout, MasterPass, and PayPal Credit.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 4

3. Mobile payment systems, which use either credit card readers attached to a smartphone
(Square, PayPal Here) or near field communication (NFC) chips, which enable mobile payment
at point-of-sale (Apple Pay and Samsung Pay).
4. Cryptocurrencies, such as Bitcoin and other altcoins. Cryptocurrencies are growing in
importance and can be used to hide payments from authorities, as well as support the legitimate
exchange of value.

5.6 Describe the features and functionality of electronic billing presentment and payment
systems.
Electronic billing presentment and payment (EBPP) systems are a form of online payment
systems for monthly bills. EBPP services allow consumers to view bills electronically and pay
them through electronic funds transfers from bank or credit card accounts.
Major players in the EBPP marketspace include: online banking, biller-direct systems, mobile
payment systems, and consolidators.
Q U E S T I O N S and Answer
Q1) Why is it less risky to steal online? Explain some of the ways criminals deceive
consumers and merchants.
A1) The potential for anonymity on the Internet can allow criminals to assume identities that
look legitimate and at the same time, shield them from law enforcement agencies. Using these
assumed identities, criminals can place fraudulent orders with online merchants, intercept e-mail,
steal customer information, and shut down e-commerce sites using software viruses.
Q2) Explain why an e-commerce site might not want to report being the target of
cybercriminals.
A2) E-commerce sites are often hesitant to report that they have been the target of
cybercriminals because companies fear losing the trust of consumers. The actual amount of
crime is difficult to estimate because of these fears.
Q3) Give an example of security breaches as they relate to each of the six dimensions of
e -commerce security. For instance, what would be a privacy incident?
A3) 1. Integrity: This is the ability to ensure that information being displayed on a Web site or
being transmitted/received over the Internet has not been altered in any way by an
unauthorized party. One type of integrity security breach would be an unauthorized person
intercepting and redirecting a bank wire transfer into a different account.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 5

2. Nonrepudiation: the ability to ensure that e-commerce participants do not deny their online
actions. An example of a repudiation incident would be a customer ordering merchandise online
and later denying that he or she had done so. The credit card issuer will usually side with the
customer because the merchant has no legally valid proof that the customer ordered the
merchandise.
3. Authenticity: Authenticity is the ability to identify the identity of a person or entity you are
transacting with on the Internet. One instance of an authenticity security breach is “spoofing,” in
which someone uses a fake e-mail address, or poses as someone else. This can also involve
redirecting a Web link to a different address.
4. Confidentiality: The ability to ensure that messages and data are available only to authorized
viewers. One type of confidentiality security breach is “sniffing” in which a program is used to
steal proprietary information on a network including e-mail messages, company files, or
confidential reports.
5. Privacy: The ability to control the use of information a customer provides about him or herself
to an e-commerce merchant. An example of a privacy security breach is a hacker breaking into
an e-commerce site and gaining access to credit card or other customer information.
6. Availability: This is the ability to ensure that an e-commerce site continues to function as
intended. One availability security breach is a DoS (Denial of Service) attack in which hackers
flood a Web site with useless traffic that causes it to shut down, making it impossible for users to
access the site.
Q4) How would you protect your firm against a Denial of Service attack?
A4) One way to protect against DoS attacks would be to increase the redundancy of your
network’s servers.
Q5) Name the major points of vulnerability in a typical online transaction.
A5) The major points of vulnerability are at the client level, at the server level, and over the
Internet communications channels.
Q6) How does spoofing threaten a Web site’s operations?
A6) Spoofing can redirect customers to a knock-off Web site where the customers are fooled into
completing an online order with a fraudulent or different company from the one with whom they
intended to do business.
Q7) Why is adware or spyware considered to be a security threat?
A7) Spyware and (to a lesser degree) adware are considered to be security threats because they
are covertly placed on Web users’ computers, where they then collect and distribute private
personal information.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 6

Q8) Briefly explain how public key cryptography works.
A8) Public key cryptography solves the problem of exchanging keys by creating a
mathematically related public key and private key. The private key is kept secret by the owner,
whereas the public key is widely disseminated.
Q9) Compare and contrast firewalls and proxy servers and their security functions.
A9) Firewalls and proxy servers are used to build a wall around private networks as well as the
attached servers and clients.
Firewalls refer to either hardware or software that filter communication packets and prevent
packets from entering the network based on a security policy.
Proxy servers are software servers that handle all communications originating from or being sent
to the Internet.
Their primary function is to limit the access of internal clients to external Internet servers
Q10) Identify and discuss the five steps in developing an e-commerce security plan.
A10) The five steps in developing an e-commerce security plan are:
1. Perform a risk assessment: First, an inventory of the information and knowledge assets of a
company is taken, and a dollar value amount is placed on each asset.
2. Develop a security policy: A set of statements should be developed that prioritizes the
information risks, identifies acceptable risk targets, and sets out the goals for achieving these
targets.
3. Develop an implementation plan: The actions that must be taken to achieve the security plan
goals must be set out.
4. Create a security organization: A security organization must be established that will train users
and keep management apprised of the security threats and breakdowns.
5. Perform a security audit: A security audit must be conducted to identify how outsiders are
using the site and how insiders are accessing the site’s assets.

Prepared by: mohammedkhaliffarah@gmail.com March 16, 2024 7