Αναζήτηση προβολής πλοήγησης

Πλοήγηση

Security of e-Comerce

The most common question when talking about e-Commerce is "Is the Internet safe for commerce?". In a sense, this is the wrong question. A better one might be "Can the Internet be safe enough for my business?". Just as we use different locks to protect our houses than the ones we use for bank vaults, there are many different technical components used for security in e-Commerce. The decision which ones to use depend on questions such as:

  • What is the risk involved?
  • What is the maximum cost we are willing to pay for protection?
  • What is the maximum damage that can occur if the system is compromised?

As one can easily understand, in any case the costs of security can be no greater than the maximum damage that might be caused.

Issues of security can be broken down into two main areas and the team that develops the e-Commerce system security will have to answer all these questions

System security

  • How secure is the operating system of a computer?
  • Can unauthorized users log on to it?
  • Can information be protected from different users on the system, or can any user on the system read/modify any information on the system?
  • Is the system physically secure?
  • Who can get into the room?

These are basic questions about the system underneath an application, and they are extremely important, because it is impossible to build a secure application on an insecure foundation. Especially when dealing with physical security the management should be very careful and consider even issues like physical disasters or any other kind of interference like electromagnetic or other especially in cases where the system has a critical mission. Although considerations like this may be far fetched for the average e-shop, institutions like tax authorities or other governmental authorities have taken such precautions

Communications security

It is often important to protect the contents of a message from eavesdroppers or others who might otherwise want to see the contents of the message. If one wants to get personal or sensitive data, he/she can physically or electronically "attack" the system, or can intercept the message while it is transferred. Especially in the case of internet where wireless communications (like satelite or microwave links) are used along with typical wired communications.

Cornerstones of Security

Security is often considered to be the major barrier to EC. Potential customers are concerned about the safety of sending their personal data and their credit card information over the Web. Prospective merchants worry that hackers might attempt to compromise their systems. While the need for security intensifies as the number of "transaction-oriented" sites increases, even other "non-transaction" sites have been victims of various sorts of "attacks" or "security breaches".

The National Computer Security Association has identified the four cornerstones of secure e-Commerce:

Authenticity: Is the sender of a message (either from the client or the server side) who they claim to be? In TCP/IP the basic means for verifying the sender's identity is the use of passwords. But passwords can always be guessed or intercepted. Internet Protocol addresses can be screened to prevent unauthorized access (see also firewalls) but there is no way to verify that a specific packet of information actually comes from the specific domain. In fact, with the use of a specific technique called IP spoofing, a hacker can "impersonate" a site. This way the hacker can either send messages as if they were sent from the "spoofed" IP address or redirect and handle subsequent accesses as if they were handled by a trusted site when in fact they're not.

Privacy & Confidentiality: Are the contents of a message secrets and known only to the sender and the intended receiver of the message? Messages can be intercepted either during transmission or later. But privacy threats may occur even in cases that appear to be "innocent". Whenever somebody accesses a web page, a log file of the transaction is created either in the server of the site accessed or in the server of the ISP (Internet Service Provider) or elsewhere. This means that all transaction data like time, date, IP address of the user's computer and the address previously accessed can be recorded and manipulated later. And one step further some advertisers use cookies to track the viewing habits of the users. So it appears that the greatest threat to privacy is not the information obtained in malicious ways but the information freely provided by the users when browsing the Web

Integrity: Have the contents of a message been modified (intentionally or accidentally), during transmission? The TCP/IP transmits data in packets that travel along a number of lines and routers as they move from the client to the server. Along this route they are susceptible to interception and modification. For example a hacker might modify the address where the contents of a Web form will be submitted.

Nonrepudiation: Can the sender of a message deny that they actually sent the message? If you place an order and pay by check, it is difficult to dispute the veracity of the order. But if you place the same order and pay by credit card there is always room for dispute, like denying the order or say that somebody else did the unauthorized order. The key to non-repudiation is the same notion as in the physical world, the signature.