Transcription

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014A Survey of E-Commerce; Its Security Issues andWay-OutAgbaraji C. Emmanuel1 and Agwah C. Benjamin2Department of Electrical and Electronic Engineering, Federal Polytechnic Nekede, Owerri, Imo State, NigeriaAbstract - Electronic Commerce is trading of products orestablishments can run their business transactions throughthe internet without physical involvements. Prices ofbusiness goods and services can now be placed on the websites with clear photos and descriptions, which enablebuyers to make selections and purchase as well through theinternet transactions. Hence, e-commerce makes businesstransactions easier and cheaper irrespective of the distancebetween seller and buyer compared to the physical process.Advances in information and communication technologiesand the emergence of the internet have revolutionizedbusiness activities enabling new ways of conductingbusiness referred to as electronic commerce [2; 3].Electronic commerce (e-commerce) describes the processof buying, selling, transferring, or exchanging products,services, and/or information through computer networks,principally the Internet [3]. Electronic commerce can alsobe defined as ―the sharing of business information,maintaining of business relationships, and conducting ofbusiness transactions by means of telecommunicationsnetworks‖ [2]. The Increase mobility and changing onlineshopping practices, advert and other business transactionsare creating shifts in the role e-Commerce plays in overallretail operations. A subset of e-business is e-commerce,which describes the buying and selling of products,services, and information or making transactions viacomputer networks, including the Internet.IJERTservices conducted through the Internet as its market place. Ithas provided numerous benefits to business owners and theircustomers thereby making it a vital business transactionmeans in the societies globally. E-commerce has suffered a lotof security failures such as identity theft, hacking, card fraud,phishing etc. The objective of this paper is to survey the ecommerce, its security vulnerabilities and recommend thebest way to address the issues. The results of the surveyshowed that identity theft recorded lowest with 13.5% whilelost/ stolen merchandise recorded highest with 40% from2010 to 2013. Secondly, fraudulent transactions throughalternative payments recorded the lowest in average with19.75% compare to others while Credit card recorded highestin average with 62.25% from 2010 to 2013. It was thereforeconcluded that there is higher security failure in lost/ stolenmerchandise and credit card fraud. However, ThreatMetrixcan detect stolen credit cards in real-time and also it cansecure customer user accounts to ensure they are notcompromised. Therefore, ThreatMetrix was recommended tobe deployed in all e-commerce transactions to protect themerchants and the customers from the most occurringsecurity failures.Keyword - Chargeback; Customers; E-Commerce; ECommerce Security; Internet fraud; MerchantsI.INTRODUCTIONElectronic commerce, commonly known as E-commerce ore-Commerce, is trading in products or services conductedvia computer networks such as the Internet. Electroniccommerce draws on technologies such as mobilecommerce, electronic funds transfer, supply chainmanagement, Internet marketing, online transactionprocessing, electronic data interchange (EDI), inventorymanagement systems, and automated data collectionsystems. Modern electronic commerce typically uses theWorld Wide Web at least at one point in the transaction'slife-cycle, although it may encompass a wider range oftechnologies such as e-mail, mobile devices, social media,and telephones as well [1].E-commerce has brought about remarkable developmentalchanges in the general buying and selling process globallyby providing a lift to the traditional business transactionprocesses. Today, individuals, private and public ownedIJERTV3IS070500Electronic commerce activities include the interorganizational processes of market-based sell-buyrelationships and collaboration (known as business-tobusiness, or B2B, commerce) and consumer-orientedactivities (business-to-consumer, i.e., B2C, and consumerto-consumer, or C2C), as well as the intra-organizationalprocesses that support them [2]. Electronic commerce as away of doing business has significant advantages;organizations are embracing e-commerce as a means ofexpanding markets, improving customer service, reducingcosts, and enhancing productivity [4]. Efficiencies areexperienced in marketing and advertising; ecommercemakes disintermediation possible, eliminating themiddleman [3]. Other efficiencies include reducedinventory and round the clock access at no additional cost.Ecommerce enables higher customization [5] allowingorganizations to improve customer service. A vital benefitof ecommerce is access to global markets which enablesbusinesses to expand their reach. The Internet allows forunconstrained awareness, visibility and opportunity for anorganization to promote its products and services [6].www.ijert.org495

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014However, the security problems arising from e-commercevulnerabilities keeps increasing with time due to thecontinuous increase in fraud and hacking practices.Customers and merchants have suffered tremendouscategories of loss in their e-commerce transactions as aresult of one failure or the other in the electronic commercetransaction. There are two major key players or ends in thee-commerce: the customer and the merchant or thebusiness owner. Security failures can occur in any of theends. Since e-commerce uses the internet as its marketplace therefore; it suffers all the security problemsencountered by the internet users. Moreover, the internetfraud has generally been at the increase as the internet andcomputer technology (ICT) grows. Hence, in order toachieve the benefits of e-commerce in the society, theinternet fraud prevention must be given adequate attentionto protect merchants and customers in e-commercetransactions.Electronic commerce is a shorthand term that clinches acomplex and continuous growing amalgam of technologies,infrastructures, processes, and products. It brings togetherwhole industries and narrow applications, producers andusers, information exchange and economic activity into aglobal marketplace called ―the Internet.‖ Hence, theinternet is the major factor which provides the services ofelectronic commerce to the sellers and buyers of businessgoods and services. Therefore, increasing the availability ofinternet directly helps to expand the electronic commercemarket place. There is no universal definition of electroniccommerce because the Internet marketplace and itsparticipants are so numerous and their intricaterelationships are evolving so rapidly [12]. Nonetheless, oneof the best ways of understanding electronic commerce isto consider the elements of its infrastructure, its impact onthe traditional marketplace, and the continuum of ways inwhich electronic commerce is manifested. This approachshows clearly how electronic commerce is intricatelywoven into the fabric of domestic economic activity andinternational trade. Electronic commerce as it has evolvedtoday requires three types of infrastructure: Technological infrastructure to create an Internetmarketplace. Electronic commerce relies on a variety oftechnologies, the development of which are proceedingat breakneck speeds (e.g., interconnectivity amongtelecommunications, cable, satellite, or other Internet‗backbone;‘ Internet service providers (ISPs) to connectmarket participants to that backbone; and end-userdevices such as PCs, TVs, or mobile telephones). Process infrastructure to connect the Internetmarketplace to the traditional marketplace. Thisinfrastructure makes payment over the Internet possible(through credit, debit, or Smart cards, or through onlinecurrencies). It also makes possible the distribution anddelivery (whether online or physical) of those productspurchased over the Internet to the consumer. Infrastructure” of protocols, laws, and regulations.This infrastructure affects the conduct of thosebusinesses engaging in and impacted by electroniccommerce, as well as the relationships betweenbusinesses, consumers, and government. Examplesinclude technical communications and interconnectivitystandards; the legality and modality of digitalsignatures, certification, and encryption; and disclosure,privacy, and content regulations.IJERTInternet fraud prevention is the act of stopping varioustypes of internet fraud. Due to the many different ways ofcommitting fraud over the Internet, such as stolen creditcards, identity theft, phishing, and chargeback, users of theInternet must make sure to avoid such scams. Internet fraudmust be prevented on two ends. First, there is the basic userwho may be susceptible to giving away personalinformation in a phishing scam, or have it be acquired byrogue security software or a keylogger [7]. In a 2012 study,Mcfee found that 1 in 6 computers do not have any sort ofantivirus protection, making them very easy targets forsuch scams [8]. Business owners and website hosts are alsoengaged in the ongoing battle of preventing Internet fraud.Due to the illegal nature of fraud, they must ensure that theusers of their services are legitimate. Websites with filehosting must work to verify uploaded files to check forviruses and spyware, while some modern browsers performvirus scans prior to saving any file (there must be a virusscanner previously installed on the system) [9]. However,most files are only found to be unclean once a user fallsprey to one.comScore presentation [11] reports that nearly 70 percentof customers consider the Internet to be an important factorin making buying decisions, and 60 percent have goneonline to do research before purchasing items in a store.II.LITERATURE REVIEWJoved and Vinod [10] suggested that electronic commerce,or e-commerce, refers to the purchase and sale of goodsand services over the Internet. Fundamentally, e-commerceis about the people, process, and technology involved inallowing a consumer or business to purchase goods orservices from another business or individual. They statedthat for centuries, traditional commerce has involvedphysical brick and mortar businesses, stores, shoppingmalls, catalog sales, and so on. In the last hundred years,other channels for commerce, such as telephone andtelevision sales were established. With the growth andwidespread availability of the Internet in the 1990s, asizeable commerce activity moved to the World WideWeb. Today, consumers go to their favorite e-commercesites to not only to buy and sell, but to conduct research,review, or comment on products and services. A recentIJERTV3IS070500Electronic commerce can be considered as a package ofinnovations [2]. The dependent variable is adoption ofecommerce. Adoption of ecommerce is defined as the useof computer networks, principally the internet, for sharingof business information; maintaining of businessrelationships; and conducting of business transactions [2;3]. The likelihood of ecommerce adoption was put intooperations as a dichotomy: whether the business has or haswww.ijert.org496

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014not adopted ecommerce. According to Lavin et al [13] abusiness is defined as having adopted ecommerce if it isachieved interactive ecommerce status. There are six-phaseecommerce status indicators relevant to ecommerce inmostly the developing countries; which are: no ecommerce,connected e-commerce, static ecommerce, interactiveecommerce, transaction ecommerce, and integratedecommerce.Security of E-CommerceMark and Donald [14] stated that security is a majorconcern for e-commerce sites and consumers alike. Theyargued that Consumers fear the loss of their financial data,and ecommerce sites fear the financial losses associatedwith break-ins and any resulting bad publicity. Not onlymust e-commerce sites and consumers judge securityvulnerabilities and assess potential technical solutions, theymust also assess, evaluate, and resolve the risks involved.According to Mark and Donald [14], the user‘s Webbrowser connects to the merchant or business owner on thefront end. When a consumer makes an on-line purchase,the merchant‘s Web server usually caches the order‘spersonal information in an archive of recent orders. Thisarchive contains everything necessary for credit card fraud.Further, such archives often hold 90 days‘ worth ofcustomers‘ orders. Naturally, hackers break into insecureWeb servers to harvest these archives of credit cardnumbers. Several recent thefts netted 100,000, 300,000,and 3.7 million pieces of credit card data. Accordingly, ane-commerce merchant‘s first security priority should be tokeep the Web server‘s archives of recent orders behind thefirewall, not on the front-end Web server [20]. In addition,sensitive servers should be kept highly specialized byturning off and removing all nonessential services andapplications such as FTP, e-mail etc. Other practicalsuggestions to secure Web servers can be found in [21; 22;23].IJERTThe internet and its services have suffered a lot of securityproblems especially in the recent times. Since theelectronic commerce makes use of the internet as its marketplace, it has equally suffered the same security issuescausing a lot of loss in the transaction and thereby reducingthe trust and dependability of the technology. It isunfortunate that online fraud collectively costs merchantsbillions of dollars each year, and it is not going away. Arecent Internet Retailer survey (Fraud rates increase for24% of web retailers over the past year) shows that 24% ofrespondents say that fraud rates for online transactionshave increased over the past year [15]. Meanwhile, fraudrates have stayed the same for 63% of respondents; just12% say fraud rates have decreased [15].good anti-virus or breakdown of firewalls etc. Somecurrent examples include a popular home-banking systemthat stores a user‘s account number in a Web ―cookie,‖which hostile Web sites can crack [16], ineffectiveencryption or lack of encryption for home wirelessnetworks [17], and mail-borne viruses that can steal theuser‘s financial data from the local disk [18] or even fromthe user‘s keystrokes [19]. Whereas these specific securityproblems will be fixed by some software developers andWeb site administrators, similar problems will continue tooccur with increasing rate. Alternatives to the homecomputer include point-of-sale (POS) terminals in bricksand-mortar stores, as well as a variety of mobile andhandheld devices with continually updated anti-virus andoperating systems.Unfortunately, just as merchants, internet service providers,and computer system and software manufacturers findways to bolster protection in one area of the e-commerce,criminals soon find new weak spots and techniques,triggering another round of costly fraud and detectionmeasures. Operating a secure online store and generalbusiness transaction is challenging, to say the least. Yet, byminimizing losses due to fraud and using security to buildonline business through customer confidence, merchantscan increase the profitability of their e-Commerceinitiatives.E-Commerce Security IssuesThere are many points of failure, or vulnerabilities, in an ecommerce environment. In some e-commerce cases, acustomer contacts a business web site for e-commercetransaction and then gives his or her credit card details andaddress information for shipping a purchase and thesepersonal information the customers give out can be usedagainst the owner by fraud stars [14].Typically,authentication begins on the customer‘s home computerand its browser. However, security problems in homecomputers offer hackers other ways to steal e-commercedata and identification data from users due to either lack ofIJERTV3IS070500Furthermore, the back end may connect with third partyfulfillment centers and other processing agents through thesame internet connection. Arguably, the risk of stolenproduct or information is the merchant‘s least importantsecurity concern, because most merchants‘ traditionaloperations already have careful controls to track paymentsand deliveries. However, these third parties can releasevaluable data purposely or otherwise through their ownvulnerabilities. The description above is the simplifiedmodel of e-commerce architecture, nonetheless, a numberof security problems still exist. It was even note thatencrypted e-commerce connections do little to help solveany but network security problems and whereas otherproblems might be addressed by encryption, there are stillvulnerabilities in the software clients and servers.Types of Frauds Threatening E-CommerceTypically, all online retailers and other e-commercetransaction users are scared of online fraud. Keeping thebusiness and customers safe should always be at the top ofyour priority list of every business owner. Often times, ecommerce business owners are troubled about what typesof fraud they should look out for to protect their businesswww.ijert.org497

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014and customers. The following is list of fraud and tips onhow you can protect yourself from such breaches:2.3.4.Card fraud – this is probably the most common ofonline scams. Essentially a thief gets their hands onsomeone‘s card details and uses those to pay for goodson the Internet. Fortunately thanks to schemes such as3D Secure (―Verified by Visa‖ or ―MasterCardSecureCode‖) most consumers will have set up aspecial password to protect themselves from suchoccurrences. If that is not the case then you as abusiness can help by monitoring your sales and usingadvanced fraud tools to spot suspicious transactions. Ifyou feel that the person using a card is potentially athief, you can simply refuse to authorize the purchase[24]. According to Wikipedia [1], Credit card fraud isthe unauthorized use of a credit card to make atransaction. This fraud can range from using the creditcard to obtain goods without actually paying, orperforming transactions that were not authorized bythe card holder. Credit card fraud is a serious offense,and punished under the charge of identity theft. Themajority of this type of fraud occurs with counterfeitcredit cards, or using cards that were lost or stolen.Approximately 0.01% of all transactions are deemedfraudulent, and approximately 10% of Americans havereported some type of credit card fraud in theirlifetimes [25].The man-in-the-middle attack – this is where a cybercriminal eavesdrops on a session between your shopand the customer and records the cardholder data beingexchanged. The best way to stop such attempts is byusing an SSL certificate. All payment serviceproviders will use such protection on their paymentgateways and you will also need to obtain one for yourwebsite. This should eradicate most attacks [24].Identity Theft - Identity theft, also called identity fraud,is a term used to refer to a crime in which someonesteals and uses another person‘s personal informationand data without permission. It is a crime usuallycommitted for economic gain. Stolen personal dataincludes Social Security Number's (SSN), passportnumbers, or credit card numbers, which can easily beused by another person for profit. It is a serious crimethat can have negative effects on a person‘s finances,credit score and reputation. There are three specifictypes of identity theft aside from the broad term. Taxrelated identity theft is when a criminal uses someoneelse's SSN to get a tax refund or a job. Child identitytheft is when a criminal uses a child‘s SSN to apply forgovernmental benefits, open bank accounts, or applyfor a loan. Medical identity theft is when a criminaluses someone else's name or health insurance to see adoctor, get a prescription or other various medicalneeds [26].Hacking – this is a very bad scenario where a fraudstergains access to the control tools of your website. Thisgives them unrestricted access to all of the pages,including the payment page. You can minimize thedamage from such an attack by allowing yourIJERTV3IS0705005.IJERT1.payments provider to host your payments page on theirserver. From the customer‘s end he or she shouldensure that the latest version of the CMS (ContentManagement System) is always used on which thewebsite is built and that the hosting is secure.Regularly change passwords to the website and makesure that any third party software and plugins used arealso secure and trustworthy.Phishing - Phishing is a scam or fraudulent activity bywhich an e-mail user is duped into revealing personalor confidential information which the scammer(phisher) can use illicitly [27]. Communicationspurporting to be from popular social web sites, auctionsites, banks, online payment processors or ITadministrators are commonly used to lure unsuspectingpublic. Phishing emails may contain links to websitesthat are infected with malware [28]. Phishing istypically carried out by email spoofing or instantmessaging and it often directs users to enter details at afake website whose look and feel are almost identicalto the legitimate one. There are four main types ofphishing techniques: link manipulation, filter evasion,website forgery, and phone phishing. Legislation, usertraining, public awareness, and technical securitymeasures are all attempts to control the growingnumber of phishing attacks. The damage caused byphishing ranges from denial of access to email tosubstantial financial loss. It is estimated that betweenMay 2004 and May 2005, approximately 1.2 millioncomputer users in the United States suffered lossescaused by phishing, totaling approximately US 929million. United States businesses lose an estimatedUS 2 billion per year as their clients become victims[29]. The address that the individual knows is thecompany's genuine website can be typed into theaddress bar of the browser, rather than trusting anyhyperlinks in the suspected phishing message this willhelp to prevent phishing. Nearly, all legitimate e-mailmessages from companies to their customers containan item of information that is not readily available tophishers. It is up to the customer to use his or herdiscretion to separate genuine emails from phishingemails and prevent phishing attacks [30].Malicious Code – there are different types of malwareused by criminals. The most common include keyloggers or spyware (captures data as the user enters it),backdoor (gives the hacker remote access to yourcomputer), command and control (looks for andexecutes commands). The best way to protect one fromsuch attacks is to keep any software on the computerup to date, use an anti-virus programme and performregular scans on the machine.Chargeback - A chargeback is not necessarily afraudulent activity. In its most basic sense, achargeback is when an issuing bank, a bank whereconsumers acquire credit cards, reverses a prior chargefrom a bank account or credit card at the request of acardholder because there was a problem with atransaction. The problem could be anything from asituation where the consumer did not receive the6.7.www.ijert.org498

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014product they purchased [31], to one where thecardholder was not satisfied with the quality of theproduct, to a situation where the cardholder was avictim of identity theft [32]. The concept of achargeback rose as a measure of consumer protectiontaken by issuing banks and credit card companies.Chargebacks were a measure to protect cardholdersfrom identity theft and the unauthorized transitionsfrom identity theft. Chargebacks also provide inventiveto producers and sellers to provide products ofconsistent quality and efficient customer service.Encryption also involves using the key pair but in reverse.Once your message is completed you encrypt the file usingthe recipient's public key ensuring that only the recipientcan ever access that message with their private keyDigital Signatures and CertificatesDigital signatures meet the need for authentication andintegrity. To vastly simplify matters (as throughout thispage), a plain text message is run through a hash functionand so given a value: the message digest. This digest, thehash function and the plain text encrypted with therecipient's public key is sent to the recipient. The recipientdecodes the message with their private key, and runs themessage through the supplied hash function to that themessage digest value remains unchanged (message has notbeen tampered with). Very often, the message is also timestamped by a third party agency, which provides nonrepudiation.IJERTHowever, with the rise of technology [33], and theresulting increase in online and telephone transactionsand commerce, it has become easier to commit fraudvia chargebacks. Chargebacks are an interestingconcept because the process protects consumers fromidentity theft fraud, but opens the door for consumersto commit chargeback fraud. Chargeback fraud is alsoknown as ―friendly fraud.‖ Friendly fraud is the termfor when a consumer authorizes a transaction for anonline purchase on his or her credit card, receives theproduct or products the consumer paid for, but thenlater the same consumer files for a chargeback [31].The fraudulent filing for a chargeback results in aconsumer keeping and avoiding paying for theproducts they ordered.The best way to prevent friendly fraudsters is forproducers to require signatures for the deliveredpackages upon their arrival. This will provide veryspecific information to the producers about thedelivery. The only drawback to signature confirmationis the fact that it increases shipping costs, which stillhurt producers‘ bottom line [34].third body: a key distribution center. The keys are notidentical, but each is shared with the key distributioncenter, which allows the message to be read. Then thesymmetric keys are encrypted in the RSA manner, andrules set under various protocols. Naturally, the privatekeys have to be kept secret, and most security lapses indeedarise here.III.SECURITY METHODSThe electronic commerce merchants continually providesolutions to the security issues to protect their business andcustomers, unfortunately, the fraudsters and hacker workwith the same pace to break possible security methods.However, the best security in e-commerce can be achievedwith proper carefulness in applying the most updatedsecurity method. The following are some certified securitymethods [15].EncryptionPrivacy is handled by encryption. In PKI (public keyinfrastructure) a message is encrypted by a public key, anddecrypted by a private key. The public key is widelydistributed, but only the recipient has the private key. Forauthentication (proving the identity of the sender, sinceonly the sender has the particular key) the encryptedmessage is not encrypted again, but this time with a privatekey. Unfortunately, PKI is not an efficient way of sendinglarge amounts of information, and is often used only as afirst step — to allow two parties to agree upon a key forsymmetric secret key encryption. Here sender and recipientuse keys that are generated for the particular message by aIJERTV3IS070500What about authentication? How does a customer knowthat the website receiving sensitive information is not setup by some other party posing as the e-merchant? Theycheck the digital certificate. This is a digital documentissued by the CA (certification authority: Verisign, Thawte,etc.) that uniquely identifies the merchant. Digitalcertificates are sold for emails, e-merchants and webservers. Digital signature shall be discussed in detail insubsequent units of this course.Secure Socket LayersSSL stands for Secure Sockets Layer. This is the techniquein which web servers and web browsers encrypt anddecrypt all of the information that they transmit andreceive. Secret decoder rings time. Both ends establish anduse the same scheme for making sure that no one else islistening to their conversation. Information sent over theInternet commonly uses the set of rules called TCP/IP(Transmission Control Protocol / Internet Protocol). Theinformation is broken into packets, numbered sequentially,and an error control attached. Individual packets are sent bydifferent routes. TCP/IP reassembles them in order andresubmits any packet showing errors.SSL uses PKI and digital certificates to ensure privacy andauthentication. The procedure is something like this: theclient sends a message to the server, which replies with adigital certificate. Using PKI, server and client negotiate tocreate session keys, which are symmetrical secret keysspecially created for that particular transmission. Once thewww.ijert.org499

International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 7, July - 2014session keys are agreed, communication continues withthese session keys and the digital certificates.PCI, SET, Firewalls and KerberosCredit card details can be safely sent with SSL, but oncestored on the server they are vulnerable to outsidershacking into the server and company network. A PCI(peripheral component interconnect: hardware) card isoften added for protection, therefore, altogether is adopted:SET (Secure Electronic Transaction). Developed by Visaand Master-card, SET uses PKI for privacy, and digitalcertificates to authenticate the three parties: merchant,customer and bank. More importantly, sensitiveinformation is not seen by the merchant, and is not kept onthe merchant's server. Firewalls (software or hardware)protect a server, a network and an individual PC fro

connected e-commerce, static ecommerce, interactive ecommerce, transaction ecommerce, and integrated ecommerce. Security of E-Commerce Mark and Donald [14] stated that security is a major concern for e-commerce sites and consumers alike. They arg