Protective measures in e commerce to deal with security threats arising


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protective measures in e commerce to deal with security threats arising

  1. 1. INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING International Journal of JOURNAL OF and Technology (IJCET), ISSN 0976- & TECHNOLOGY (IJCET) 6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEISSN 0976 – 6367(Print)ISSN 0976 – 6375(Online)Volume 4, Issue 1, January- February (2013), pp. 46-53 IJCET© IAEME: Impact Factor (2012): 3.9580 (Calculated by GISI) © PROTECTIVE MEASURES IN E-COMMERCE TO DEAL WITH SECURITY THREATS ARISING OUT OF SOCIAL ISSUES – A FRAMEWORK Biswajit Tripathy1, Jibitesh Mishra2 1 Associate Professor , Dept of Computer Science & Engg, Synergy Institute of Engineering & Technology, Dhenkanal 759 001(India), email: 2 Associate Professor, HOD, Dept of Computer Sc & Engg, ,College of Engineering & Technology,Ghatikia, Bhubaneswar (India), ABSTRACT In the early 1990s due to Internet when computers became popular with the masses, and knowledge workers began to outnumber factory workers, the era of information revolution began. The dawn of the internet era has significantly changed the way people and organizations around the world interact with each other. Vendors around the world have started setting up shops over the web. Entire market places for trade and commerce have sprung up online. In a country like India where entrepreneurs are born in every nook and corner, e-commerce provides a low investment high return opportunity. Traditional businesses have taken their wares over the net and profited immensely from it. Now the whole world is their market place. This article give an account of the security aspects and the different threats to social issues, the causes and remedial measures to such issues. Keywords: Threats, Privacy, Security, e commerce 1. INTRODUCTION India, an emerging economy, has witnessed unprecedented levels of economic expansion, along with countries like China, Russia, Mexico and Brazil. India, being a cost effective and labor intensive economy, has benefited immensely from outsourcing of work from developed countries, and a strong manufacturing and export oriented industrial framework. In 2009 out of $161.3 billion most of the FDI went to the IT and ITeS sector. Experts expect the Indian economy to be the world’s biggest economy by 2040. 46
  2. 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME India’s software export revenue expecting a growth rate by 13-14% .The IT andSoftware industry is a major economy player in India. Mainly based on IT software andfacilities such as system integration, software experiments, custom application developmentand maintenance (CADM), Network and IT services and solutions; the country’s IT-BPOindustry expanded by 12% during fiscal year 2009, and attained aggregate returns of US$71.6Billion. Out of the derived revenue, US$59.6 billion was directly generated by the softwareand services sector alone. Market research firm IDC India in a recent study has said thatIndia’s information technology and IT-enabled services industry will more than $132 billionby 2012 due to one of the main factor of expanding of domestic market in India[2-8]. The dawn of the internet era has significantly changed the way people andorganizations around the world interact with each other. India with 81 millions internet usersas compare to 825 Millions in Asia and 1966.5 millions World, India stood fourth in Worldas per the user. Internet was earlier only a medium of transferring data or communication hasnow been replaced by a wider range of application termed as e-commerce. Products andservices are now just a click away. Secure online transactions provided by vendors Visa andMastercard etc as well as online bank transfers have only added to the confidence ofaudiences willing to participate in online commerce. The emergence of web 2.0 only fueledthis trend even further. Vendors around the world have started setting up shops over the web.Entire market places for trade and commerce have sprung up online[8,9]. In India where entrepreneurs are born in every nook and corner, e-commerce providesa low investment high return opportunity. Traditional businesses are profited immensely byutilizing this opportunity. Now the whole world is their market. It started slowly leading the way. Slowly trade portals and online travel portals joined thebandwagon. After e-bay acquired, the level of access that users had to e-commerce increased significantly. Although by most references India only accounts for approximately 2% of the e-commerce in the Asia-Pacific region, the amount in figures is staggering. It was estimated ataround $2.1 billion in 2008 and predicted to grow to around $6 billion by 2011. In fact thatonly 6.9% of the Indian population has access to the internet in 2010[9].II. SECURITY ASPECTS Privacy and security can be viewed as ethical questions. At the same time the privacyand security area attracts a large amount of attention from the commercial sector because ithas the potential to determine the success or failure of many business ventures, mostobviously e-commerce activities. Privacy and security are often described in terms of ethicsand therefore taken to be of an ethical nature. At the same time, they are used by commercialorganizations to promote their particular, usually financial but often also political, objectives.This is problematic because the commercial use of the terms privacy and security promotes aparticular ideology and uses the ethical recognition of the concepts to limit critical discourses. There are general definitions, such as the classical one By Landwehr, which statesthat a system is secure “if it adequately protects information that it processes againstunauthorized disclosure, unauthorized modification, and unauthorized withholding”.Unfortunately, the text goes on to say that no practical system can achieve these goals 47
  3. 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEsimultaneously and that security is inherently relative. Security is thus important for theability to interact with others in a self-confident manner. It is also required to developrelationships of trust with others.[1]. Privacy concerns have garnered much attention in recent years with the rise in identityfraud and the new capabilities to collect and process information brought about bytechnology. During 1998 to 2003, there have been a reported 27.3 million cases of identityfraud accounting for nearly $48 billion in losses to financial institutions and $5 billion worthof out-of-pocket expenses to consumers, according to the Federal Trade Commission (FTC)report in 2003.[ 2]. Strengthening the trust framework, including information security and networksecurity, authentication, privacy and consumer protection, is a prerequisite for thedevelopment of the Information Society and for building confidence among users . In a nutshell, the perception of cyber-threats therefore has two main aspects: On oneside A new kind of vulnerability due to modern society’s dependency on inherently insecureinformation systems, and the expansion of the threat spectrum, especially in terms ofmalicious actors and their capabilities, on the other side[10].III. THREAT CAUSES It was only in the early 1990s that a confluence of events brought about what can bedescribed as a “techno-crescendo” of information revolution dreams, when computersbecame popular with the masses, and knowledge workers began to outnumber factoryworkers[11]. One major reason for the rise of identity fraud is that increases in Internet transactionsmake the authentication of persons more difficult than ever before, because there is no humancontact and less opportunity for identification checks. Hence, methods for identification andverification in e-commerce environments are becoming increasingly necessary to avoidpotential issues such as identity fraud. Online banking, electronic financial transactions,online data stores, and Internet commerce, for example, are becoming extremely popular andthe technologies to prevent misuse of these systems continue to expand as their importanceincreases and the potential for financial loss grows[2]. Potentially damaging events that could happen to the information infrastructure canbe commonly categorized as “failures”, “accidents”, and “attacks”. These events are onlyconsidered to be potentially damaging, because not all events actually produce harmfulresults – system failure will not occur as long as the error does not reach the service interfaceof the system, and might go unobserved[9]. Failures are potentially damaging events caused by deficiencies in the system or in anexternal element on which the system depends. Failures may be due to software design errors,hardware degradation, human errors, or corrupted data. 48
  4. 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME Accidents include the entire range of randomly occurring and potentially damagingevents such as natural disasters. Usually, accidents are externally generated events fromoutside the system, whereas failures are internally generated events. It is found statistically, out of various causes for cyber threats some of the biggestthreats are from attacks committed by “insiders” – individuals who are, or previously hadbeen, authorized to use the information systems they eventually employ to spread harm[10]. In fact, different types of hackers must be distinguished[14], mainly by theirmotivation and skill level: • Script kiddies: The more immature but unfortunately often just as dangerous exploiter of security lapses on the Internet. The driving force of script kiddies has been shown to be boredom, curiosity, or teenage bravado. • Hacktivists: If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends". • Cracker or “Black Hat Hacker”: Someone who (usually illegally) attempts to break into or otherwise subvert the security of a program, system, or network, often with malicious intent. Hackers themselves like to distinguish between this type of hacker and • Sneakers or “White Hat Hackers”, which is someone who attempts to break into systems or networks in order to help the owners of the system by making them aware of security flaws in it.Some of the key issues that can create threats to the e-commerce application is given below: • Gathering information about employees through mailers e.g. survey etc. • Gathering information about employees by developing relationships • Forensic analysis of the hard drives, memory sticks etc. • Pretending to be a senior manager or helpless user • Pretending to be a technical support engineer • Disgruntled employeesBasically, there are two threat scenarios ─ one from hackers and individuals termed as“unstructured”, and the other from foreign nation states termed as “structured” threat[16]. • The unstructured threat is random and relatively limited & it consists of adversaries with limited funds and organization and short-term goals. These actors have limited resources, tools, skills, and funding to accomplish a sophisticated attack. However, such attacks might cause considerable damage if they are sufficiently foolish or lucky. • The structured threat is considerably more methodical and better supported. These adversaries have all-source intelligence support, extensive funding, organized professional support, and long-term goals. Foreign intelligence services, criminal elements, and professional hackers involved in information warfare, criminal activities, or industrial espionage fall into this threat category[17].The following is an overview of important common issues currently discussed in the contextof legislation procedures in the countries covered in the handbook[18]: 49
  5. 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME • Data protection and security in electronic communications; • IT security and information security requirements; • Fraudulent use of computer and computer systems, damage to or forgery of data, and similar offences; • Protection of personal data and privacy; • Identification and digital signatures; • Responsibilities in e-Commerce and e-Business; • International harmonization of cybercrime law; • Minimum standards of information security for e-governance, service providers, and operators, including the implementation of different security standards such as BS7799, the code of practice for information security management ISO/IEC 17799, the Common Criteria for Information Technology Security Evaluation ISO/IEC 15408, and others; • Public key infrastructure and its regulation.Across all boundaries, there are two main factors that influence and sometimes even hinderefficient law enforcement ─ one with a national, the other with an international dimension: • Lack of know-how or of functioning legal institutions: Even if a country has strict laws and prohibits many practices, the enforcement of such laws is often difficult. Frequently, the necessary means to effectively prosecute misdemeanours are lacking, due to resource problems, inexistent or emerging cyber-crime units, or a lack of supportive legislation, such as the storing of rendition data[10]. • Lack or disparity of legal codes: While most crimes, such as theft, burglary, and the like are punishable offences in almost every country of the world, some rather grave disparities still remain. For example, in most European countries, it is illegal to publish right-wing extremist or anti-Semitic statements on the Internet. However, the US does not prosecute such offences if committed within its borders, as they are usually protected by the First Amendment to the Constitution, which guarantees freedom of speech[19].IV. MEASURES TO REMOVE THREATSIn the following, we will look more closely at four possible categories of initiatives launchedby multilateral actors: deterrence, prevention, detection, and reaction. • Deterrence – or the focus on the use of multilateral cyber-crime legislation: Multilateral initiatives to deter the malicious use of cyberspace include initiatives to a) harmonize cyber-crime legislation and to promote tougher criminal penalties (e.g. the Council of Europe Convention on Cybercrime) [20], and b) improve e-commerce legislation (e.g., the efforts of the United Nations Commission on International Trade Law (UNCITRAL) for electronic commerce) [21]. • Prevention – or the design and use of more secure systems, better security management and the promotion of more security mechanisms: Multilateral initiatives to prevent the malicious use of cyberspace centre around a) promoting the design and use of more secure information systems[22]; b) improving information security management in the organizations of all sectors (e.g., the ISO and OECD standards and guidelines initiatives) [23]; c) legal and technological initiatives such as the promotion of security mechanisms (e.g., electronic signature legislation in Europe). 50
  6. 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME • Detection – or cooperative policing mechanisms and early warning of attacks: Multilateral initiatives to detect the malicious use of cyberspace include a) the creation of enhanced cooperative policing mechanisms (e.g., the G-8 national points of contact for cyber-crime); and b) early warning through information exchange with the aim of providing early warning of cyber-attack by exchanging information between the public and private sectors (e.g., US Information Sharing & Analysis Centers, the European Early Warning & Information System, and the European Network and Information Security Agency (ENISA)). • Reaction – or the design of stronger information infrastructures, crisis management programs, and policing and justice efforts: Multilateral initiatives to react to the malicious use of cyberspace include a) efforts to design robust and survivable information infrastructures; b) the development of crisis management systems; and c) improvement in the coordination of policing and criminal justice efforts[24].In order to counter the security threats due to the social factors, some recommendations canbe mentioned as given below. • A well documented Security Policy accessible to employees & training provided to the employees • Awareness of threats and impact of social engineering on the company • Implementation of proper security audit • Proper Identity Management policy for authentication • Clear cut operating policies & procedures to limit vulnerabilities. • Use of advanced physical solutions such as intelligent revolving doors, biometric systems, etc. to eliminate or reduce unauthorized physical accessAlso along with each policy, the standards and guidelines to be followed should be clearlyexplained. Some of the broad outlines of this policy should include the following: • Computer system usage: Monitoring the usage of the use of non-company standard mails or activity. • Proper Information classification and handling: Confidential information should be properly classified and should not be available to everybody. • Personnel security: Proper screening new employees and other visitors to ensure that they do not pose a security threat. • Physical security: Proper authentication process for allowing employees to secure portions inside the company e.g. sign in procedures through electronic and biometric security devices etc. • Information access: Password usage and guidelines for generating secure passwords, access authorization. • Protection from viruses: Working policies for protection of the systems from viruses and other threats. • Security awareness training: This ensures that employees are kept informed of threats and counter measures. • Compliance monitoring: This ensures that the security policy is being complied with. • Documentation destruction: All information should be disposed of by shredding not by discarding in the trash or recycle bins. 51
  7. 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEMEV. CONCLUSION Insider threats are a major social issue that causes extensive damage to any system. Amore generalized framework has been proposed in the article that covers differentorganizations/agencies. This framework will guide the e-commerce companies in establishinga more secure system. However, a localized policy has to be made for each companies inorder to address the local social issues. Apart from these proper training guidelines to thegeneral users working in the company/organization needs to be frame.REFERENCES 1. Stahl B C: Privacy and Security as Ideology by IEEE Technology & Society Magazine, SPRING,IEEE page:35-45(2007) 2. Taner Pirim, et al :An empirical Investigation of an Individual’s Perceived need for Privacy and Security, , International Journal of Information Security and Privacy, Volume 2, Issue 1 edited by Hamid R. Nemati © 2008, IGI Global, Page 42-53(2008) 3. visited on 2.January.2013. 4. visited 2 jan 2013. 5. than-doubled-by-2012/ visited 2 Jan 2013. 6. visited 2 Jan 2013. 7. aliens-ufos/articleshow/7042278.cms visited on 2 Jan 2013. 8. visited on 2 jan 2013. 9. visited on 2 jan 2013. 10. Myriam Dunn: A comparative analysis of cyber security initiatives worldwide international telecommunication union, WSIS Thematic Meeting on Cyber security, Geneva, Center for Security Studies, Swiss Federal Institute of Technology (ETH Zurich) for the WSIS Thematic Meeting on Cyber security.(2005) 11. Kushnick, Bruce: The Unauthorized Biography of the Baby Bells & Info-Scandal (New Networks Institute): p. 22.( (1999) 12. Avizienis et al.; Fundamental concepts of Dependability, Research report N01145(2000);Office of the Critical Infrastructure Protection and Emergency Preparedness(OCIPEP),( 2003). 13. U.S. Secret Service and Carnegie Mellon University Software Engineering Institute Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. URL: 14. Levy, Steven: Hackers Heroes of the Computer Revolution (New York: Anchor Press)(1984). 15. Denning, Dorothy E: Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, presented at Internet and International Systems: Information Technology and American Foreign Policy Decision making Workshop, (1999). 52
  8. 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME 16. National Academy of Sciences, (1991). 17. Minihan,Kenneth A.: Prepared statement before the Senate Governmental Affairs Committee,24 June 1998. (1998) 18. Finnish Communications Regulatory Authority: Information Security Review Related to the National Information Security Strategy (24 May 2002). URL (2002) 19. Gelbstein, Eduardo and Ahmad Kamal: Information Insecurity. A Survival Guide to the Uncharted Territories of Cyber threats and Cyber security. United Nations ICT Task Force and United Nations Institute for Training and Research (New York, November 2002). URL: Information_Insecurity_Second_Edition_PDF.pdf(2002). 20. Council of Europe Convention on Cybercrime. URL: . 21. 22. 23. The International Organization for Standardization ISO has developed a code of practice for information security management (ISO/IEC 17799:2000). URL: 24. The Organisation for Economic Co-operation and Development (OECD) promotes a “culture of security” for information systems and networks. URL:,2340,en_2649_33703_15582250_1_1_1_1, ml . 25. Porteous, Holly: Some Thoughts on Critical Information Infrastructure Protection, in: Canadian IO Bulletin, 2, 4, October. URL: 26. L. Chandra Sekaran and Dr. S. Balasubramanian, “Website Based Patent Information Searching Mechanism”, International journal of Computer Engineering & Technology (IJCET), Volume1, Issue2, 2010, pp. 180 - 191, Published by IAEME 27. M. B. Thulase and Dr. G. T. Raju, “Website Based Patent Information Searching Mechanism”, International journal of Computer Engineering & Technology (IJCET), Volume3, Issue2, 2012, pp. 487 - 498, Published by IAEME 28. Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, “Wireless Sensor Networks: Limitation, Layerwise Security Threats, Intruder Detection”, International journal of Electronics and Communication Engineering &Technology (IJECET), Volume3, Issue2, 2012, pp. 22 - 31, Published by IAEME. 29. Dr. V.Antony Joe Raja, “The Study of E-Commerce Service Systems In Global Viral Marketing Strategy”, International Journal of Marketing & Human Resource Management (IJMHRM), Volume3, Issue1, 2012, pp. 9 - 18, Published by IAEME. 30. Mahmoud M. Maqableh, “Secure Hash Functions Based On Chaotic Maps For E- Commerce Applications”, International Journal of Information Technology and Management information System (IJITMIS), Volume1, Issue1, 2010, pp. 12 - 22, Published by IAEME. 31. Gurudatt Kulkarni, Ruchira Chandorkar and Nikita Chavan , “A Security By Biometric Authentication”, International Journal of Computer Science and Engineering Research and Development (IJCSERD), Volume 2, Number 1, 2012 pp. 7 - 14, Published by PRJpublication. 53