Security and Privacy Issues in E-Commerce
Abstract– The consumers nowadays use technology in their everyday life because it helps them to make an easy lifestyle and it also helps them save time in their everyday life. Shopping is one of their activities in which a customer browses the available goods or services presented by one or more retailers with the intent to purchase a suitable selection of them, so they develop a new trend in shopping in which is E-Commerce. Electronic Commerce has an important impact on the lives of modern people here in the world. Electronic Commerce helps the people to make an easy and convenient shopping to save the cost of transportation and time, but there are problems with their own privacy and personal information. In order for E-Commerce to become popular, consumers must be aware in today’s situation like; fraud, cheating and stolen card identities or even poor quality goods and services. The researcher’s recommend that, the online shoppers should have their own initiative to take care of their personal information, they must also consider sites that are popular not just in their promotions like sales, products offered and discount, they must also check the sites integrity. The E-Commerce must have a broad study to develop their security for the protection of their customer as well to increase their laws and policies to increase their sales, customers and for them to prioritized by the people, it will also make the customer feel safe in this kind of commerce. This will be the first step for the online sellers and shoppers to build a trust and relationship with each other.
Keywords- E-commerec, security issues, technology and system .
Introduction- With the vigorous development of Internet technology, E-commerce came into being and prompt progress which based on network and multi-media technology. The E-Commerce (Electronic Commerce, EC) is through public network, such as Internet , Open Computer Network to conduct online transactions, which can fast and effective to implement a variety of business process. These process of business including each segment in the trade of goods and service, such as advertise, purchase of goods, products market, information consult, business meeting, financial service, payment of commodities and so on. As a result, E-commerce is an open trade on the Internet , the complicated information of business is save, transmission and processing in computer system, which have brought all kinds of security problems of e-commerce transaction.
What Is E-Commerce Security ?
The security problems of electronic commerce system include not only the security risks of computer system itself, but also the security risks of data and transaction in electronic commerce. To overcome these security risks, we need to achieve the following six aspects of security.
- Confidentiality of Electronic Commerce Data
- Integrity of Electronic Commerce Data
- Authentication of Electronic Commerce Objects
- Non-repudiation of E-commerce Services
- Non-refusal of E-commerce Services6. Control of E-commerce Access
Types of E-commerce Security
Electronic Commerce Security can be divided into two broad types –
1. Client Server Security
- Client/server security uses various authorization methods to make sure that only valid user that only valid user and programs have access to information resources such as database.
- Access control mechanisms must be set up to ensure that properly authenticated users are allowed access only to those resources that they are entitled to use.
- Such mechanisms include password protection, encrypted smart cards, biometrics, and firewalls.
2. Data and Transaction Security:
- Data and transaction security ensures the privacy and confidentiality in electronic messages and data packets, including the authentication of remote users in network transactions for activities such as online payments.
- The goal is to defeat any attempts to assume another identity while involved with electronic mail or other forms of data communication.
- Preventive measures include data encryption using various cryptographic methods.
Client – Server Network Security
A system that records all log – on attempts particularly the unsuccessful ones can alert managers to need for stronger measures. However, where secrets ate at stake or where important corporate assists must be made available to remote users, additional measures must be taken. Hackers can use password guessing, password trapping, security holes in programs or common network access procedures to impersonate users and pose a threat to the servers.
Physical Security holes result when individual gain unauthorized physical access to a computer.
Software security holes result when badly written programs or privileged software are compromised into doing things they should not.
Inconsistent Usage holes result when a system administrator assembles a combination of hardware and software such that the system is seriously flawed from a security point of view. The incompatibility of attempting two unconnected but useful things creates the security hole problems like this are difficult to isolate once a system is setup and running, so it is better to carefully build the system with them in mind. This type of problem is becoming common as software becomes more complex.
- Trust based Security Trust based security means to trust everyone and do nothing extra for protection. It is possible not to provide access restrictions of any kind and to assume that all users are trustworthy and competent in their use of the shared network. This is based on very general phenomena assumes that no one ever makes an expensive breach such as getting root access and deleting all files.
- Security through obscurity The notation that any network can be secure as long as nobody outside its management group is allowed to find out anything about its operational details and users are provided information on a need to know basis. Hiding account passwords in binary files or scripts with the presumption that nobody will ever find them is a prime case of security through obscurity. Security through obscurity provides a false sense of security in computing systems by hiding information.
This method was quite successful with stand alone systems that ran operating systems such as IBM MVS or CMS and DEC VAX. But its usefulness is minimal in the Unix world, where users are free to move around the file system, have a great understanding of programming techniques, and have immense computing power at their fingertips.
3. Password Schemes
A password scheme, erects a first level barrier to accidental intrusion. In actuality, however, password schemes do little about deliberate attack, especially when common words or proper names are selected as passwords. Most local area network or communication software packages contain encryption and security features. Passwords are included in virtually every package. However, passwords often do not provide adequate protection.
People generally don’t select good passwords or change them frequently enough. From a security perspective it is often not too difficult for hackers to breach security by guessing passwords.
A serious design flaw can sometimes result in the creation of a “universal password.” Such a password satisfies the requirements of the login program without the hacker actually knowing the true and correct password. In one case, for example, a hacker could enter an overly long password. The overly long password would end up overwriting the actual password, thus allowing the hacker unauthorized access.
- Biometric Security
It is the most secure level of authorization, involve some unique aspect of a person’s body. Past biometric authorization was based on comparisons of fingerprints, palm prints, retinal patterns, or on signature verification or voice recognition. Biometric systems are very expensive to implement. Many biometric devices also carry very high price in terms of inconvenience.
Software Agents and Malicious Code
The major threat to security from running client software results because of the nature of the Internet. Client programs interpret data download from arbitrary servers on the Internet. The security Threat arises when the downloaded data passes through local Interpreters on the client system without the user’s knowledge. Client threats mostly arise from malicious data or code – malicious code refers to viruses, worms, Trojan horses, logic bombs and other deviant software programs.
A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity; some viruses cause only mildly annoying effects while others can damage your hardware, software, or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail. So we can define computer virus as:
- A set of computer instructions
- Deliberately created
- That propagates
- And does unwanted things.
Characteristics of Computer Viruses:
- Cannot exist in a viable form, apart from another (usually legitimate) program.
- Propagates when the host program is executed.
- Has an incubation period, during which no damage is done.
- After incubation period, begins to manifest its behavior.
A Few Manifestations of Computer Viruses:
- Sudden or periodic slowing of programs.
- Unexplained change in the size of any program.
- Files with extension .EXE.
- Files with extension .COM.
- Files with extension .BAT.
o Files with extension .SYS.
- Files with extension .OVL.
(“Explanations” would be, for example, a new version of DOS, or reinstalling a program with different options.)
- Unusual behavior of the computer, especially during a program, which you have been running regularly with no problems.
- Failure of any program (such as a word processor) to install correctly from its distribution (original) disks. (Many programs check their own size after installation.)
It is a type of virus that replicates itself when executed.it may spread through many machines connected in any network. These are basically hidden within any video or audio files that we download from the internet and it is done by using easy binder(software).It makes multiple copies of itself in a particular drive thereby consuming space. Usually they are harmless and sometimes they may spoil our hard disk or microprocessor by overloading it.
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
Steps to help avoid viruses
- The first step in protection is installing and running a current anti-virus software program. Although this software is called anti-virus, most of these applications also protect against worms. Most anti-virus software now has the ability to checking incoming and outgoing email (through popular email programs like Outlook), to protect you against receiving or spreading unwanted computer problems through email. Since Word and Excel documents are such popular targets, most anti-virus software also specifically interfaces with these for protection.
- The second step is to keep your antivirus software definitions regularly updated. This will protect you as new viruses and worms are discovered. Most anti-virus software has a feature to automatically update your definitions periodically and it’s good practice to set this to update at least once a week.
- Next, you should be very careful in opening email. If you get an email with an attachment from a sender you don’t recognize, don’t open the attachment. Even if the sender is someone you do recognize, if you aren’t expecting an email with an attachment from them, if the wording of the subject or message seems strange for that person to send you, don’t open it without first checking with them to verify it is legitimate.
- For protection from trojan horses, be careful if you download and install any software from the internet. If you do, be sure you are always downloading it from a reputable site you can trust. Several sites offer reviews of the software you can download, read the reviews to see if other users have registered any complaints about trojans or freeware in the software you are planning to install. Most major anti-virus software also now provides some protection against trojan horses.
How do I know if a virus has infected my computer?
- Runs consistently slower than normal.
- Stops responding or locks up often.
- Crashes and restarts every few minutes.
- Restarts on its own and then fails to run normally.
- Applications don’t work properly.
- Disks or disk drives are inaccessible.
- Printing doesn’t work correctly.
- You see unusual error messages.
- You see distorted menus and dialog boxes.
How Virus is removed?
Even for an expert, removing a virus properly from a system is often a daunting task without the help of specific tools designed for the job. Some viruses and other unwanted software (including spyware) are even designed to reinstall themselves after they have been detected and removed! Fortunately, through updating your computer and using free, trial-period, or low-cost antivirus tools offered by many companies, you can help permanently remove (and prevent) unwanted software. You can follow the below given step to remove a virus:
- Visit the Protect Your PC site and install the latest updates.
- If you currently use antivirus software, visit the manufacturer’s Web site, update it, and then perform a thorough scan of your system. If you don’t currently use antivirus software, subscribe to a service and scan your system immediately.
- Download, install, and run the Malicious Software Removal Tool. Note that this tool does not prevent viruses from infecting your system; it only helps to remove existing viruses.
Threats to servers
Threats to servers consist of unauthorized modification of server data, unauthorized modification of incoming data packets and compromise of a server system by exploiting bugs in the server software. Compared to stand – alone systems, network servers are much more susceptible to attacks where legitimate users are impersonated. For example –
- Hackers have potential access to a large number of systems. As a result, computers that are not properly configured and / or are running programs with security holes are particularly Vulnerable.
- Hackers can use popular Unix programs like fingers, rsh, or rusher to discover account names and then try to guess simple password guessing methods.
- Hackers can use electronic eavesdropping to trap user names and Unencrypted passwords sent over the network. They can monitor the activity on a system continuously and impersonate a user when the impersonation attack is less likely to be detached.
- Hackers can spoof or configure, a system to masquerade access to resource or information on systems that trust the system being mimicked.
Surveying the open legal problems in electronic commerce is beyond the scope of this article. The two most important security-related problems are the following:
- Liability: The financial risk of a user in a specific transaction depends on his or her liability. In principle, if a user bears no liability, there is no risk.
The main issue here is fairness: The liability of a user should correspond to the security of his or her technical equipment. For instance, if it is technically trivial to forge the digital signature of a user then this party should not be held liable for his or her signatures, in general.
- Harmonization: The national laws that regulate electronic commerce over the Internet (like evidential value of digital signatures, consumer protection, copyright protection) are not harmonized, and are partially contradictory. One side result is that there is no mutual recognition between national PKIs, even where comparable laws exist.
Technical Components of E-Commerce Security
There are four components involved in E Commerce Security: client software, server software, the server operating system, and the network transport. Each component has its own set of issues and challenges associated with securing them:
- Client software is becoming increasingly more security-focused, however single-user desktop operating systems historically have had no security features implemented. E Commerce software that relies on the security of the desktop operating system is easily compromised without the enforcement of strict physical controls.
- Server software is constantly under test and attack by the user community. Although there have been cases of insecurities, a system administrator keeping up with the latest patches and vendor information can provide a high degree of confidence in the security of the server itself.
- Operating systems used for hosting E Commerce servers are securable, but rarely shipped from the vendor in a default configuration that are secure. E Commerce servers must protect the database of customer information accumulating on the server as well as provide security while the server is handling a transaction. If it is easier for a thief to compromise the server to obtain credit card numbers, why bother sniffing the network for individual credit card numbers?
- Session transport between the client and server uses network protocols that may have little or no built-in security. In addition, networking protocols such as TCP/IP were not designed to have confidentiality or authentication capabilities.
Conclusion & future aspects
A lot of research on e-commerce security is going on and many security products and systems of e-commerce are being developed and marketed. In this situation, it is important to note that security is a system property of the e-commerce. Security engineering involves making sure things do not fail in the presence of an intelligent and malicious adversary who forces faults at precisely the wrong time and in precisely the wrong time and in precisely the wrong way. Still we cannot able to get full prevention from threats & virus. A lot of research is needed in this area.
- Bortiz, J.E.,No, W,G. &Sundarraj, R.P, 2008. Internet Privacy in E-Commerce: Framework, Review and Opportunities of Future Research. Retrieved August 17, 2012,from http://accounting.uwaterloo.ca/uwcisa/resources/eprivacy/HICSS%202007-09-13.pdf
- Ghani, N.A, &Sidek, Z.M. 2009. Personal
Information Privacy in E-Commerce Retrieved August 3, 2012, from
- Pasadilla, G.O, &Lacson, A. 2006. ECommerce in the Philippines: A Preliminary Stocktaking. Retrieved August 15, 2012, from http://publication.pids.gov.ph/details.php?
- Bortiz, J.E, & No, W.G. 2011. ECommerce and Privacy: Exploring what we know and opportunities in future discovery. Retrieved August 25, 2012, from http://accounting.uwaterloo.ca/uwcisa/resourc es/eprivacy/documents/JIS20101011final.docx
- Smith, H.J, Dinev, T., &Xu, H. 2011. Information Privacy Research: An interdisciplinary review. Retrieved August 15, 2012, from http://www.misq.org/skin/frontend/default/mis q/pdf/appendices/2011/SmithDinevXuAppend ices.pdf
- Smith, R., & Shao, J. 2007. Privacy and ECommerce: A consumer-centric perspective. Retrieved August 15, 2012, from
- Ackerman, M.S., & David, D.T. 2009.
Privacy and Security issues in E-Commerce. Retrieved August 15, 2012, fromhttp://econ.ucsb.edu/~doug/245a/Papers
- Belanger, F. &Crossler, R.E. 2011. Privacy in the Digital Age: A review of information privacy research in information systems.
Retrieved August 15, 2012, from http://www.misq.org/skin/frontend/default/mis q/pdf/appendices/2011/BelangerCrosslerApp endices.pdf
- Pennenan, K. 2009. Consumers initial eTrust building process development of an integrative model and research propositions. Retrieved August 16, 2012, from http://www.acrwebsite.org/volumes/ap08/ap_
- Head, M., &DeGroote, Y.Y.M.G. 2001. Privacy protection in electronic commerce- a theoretical framework. Retrieved August 16, 2012, from http://www.business.mcmaster.ca/IS/head/Art icles/Privacy%20Protection%20in%20Electro nic%20Commerce_A%20Theoretical%20Fra
- Pavlou, P.A. 2001. State of the information privacy literature- where are we now and where should we go? Retrieved August 20, 2012, from http://aisel.aisnet.org/misq/vol35/iss4/10/
Md Mizanur Rahman Rumy
Student of Computer Science & Engineering Department
A P G Shimla University,HP,India.