E-Commerce and Bank Security

Download Report

Transcript E-Commerce and Bank Security 

E-Commerce & Bank
Security
By: Mark Reed
COSC 480
Outline







Introduction
Definition
Security Challenges
Security Terms
Common Threats
Security Practices
Protecting Yourself
Introduction

“Total eCommerce sales for 2006 were
estimated at $108.7 billion. This represents an
increase of 23.5% over 2005,” according to the
U.S. Census Bureau’s E-Commerce Survey.
What is Security?

Dictionary Definition: Protection or defense
against attack, interference, espionage, etc.

Computer Science Classification:
Confidentiality – protecting against unauthorized
data disclosure
 Integrity – preventing unauthorized modification
 Availability – preventing data delays or denials

Security Challenges
Security Terms

Authentication – originator can be verified

Integrity – information has not been altered by an
unauthorized person or process

Non-repudiation – proof of participation by the sender
and/or receiver of a transmission

Privacy – individual rights to nondisclosure
Threats

Social Engineering – mislead the end user

Man-in-the-middle – listen between client/sever

Man-in-the-browser – redirect end-user to
counterfeit sites to steal credentials
Threats Cont.

Malware – poison hosts file and/or DNS to redirect the user to counterfeit sites

Trojan Proxy – http redirector that re-directs all
traffic to a Proxy and sends to the attacker
Malware/Phishing Attack

Poisoning the hosts file to re-direct entries
Spam

“Spam accounts for 9 out of every 10 emails in
the United States.”

MessageLabs, Inc.

Main source of phishing attacks

Not a secure transmission method
Ecommerce Architecture

Support for peak access times

Replication and mirroring to avoid denial of
service attacks

Security of web pages through certificates and
network architecture to avoid spoofing attacks
Security Challenges

Client side security


Sever-side security


Prevent unauthorized access to stored information
Prevent unauthorized access while allowing
authorized user to connect
Application and Database server security

Use security layers between the servers
Client Side Security

Protect information stored on the client system

Use of digital signatures and encryption can
reduce non-repudiation security attacks

Communication security such as secure HTTP
Server-side Security

Place application and database server behind a
firewall in a demilitarized zone (DMZ)

Do not store sensitive information such as credit
card numbers and SSN on web servers

Turn off all unnecessary services and block any
unused ports
Application & Database Security

Application server should shield that database
server from direct contact with web servers

Database servers should be completely isolated
from the internet and any other unsecure server

User passwords when retrieving sensitive
information from the database server
Company Security Precautions

Defense-in-depth strategies that use multiple,
overlapping and mutually supportive systems

Antivirus, firewall, and intrusion detection/prevention

Update software patches on public systems

Block possible harmful email attachment exts.
Security Strengthening

Multi-layer protection approaches

Secret image authentication

Using hardware authentication (serial number)
Amazon PayPhrase
Avoid Security Threats

Do not provide passwords, account numbers, or
other personal information through email

Do not trust links in emails or on websites

Check for the lock icon in the address bar of
your browser
Secure Your PC

Maintain up-to-date antivirus, spyware and
firewall protection

Keep your operating system and applications
up-to-date with security patches

Avoid transaction at wireless hotspots
Conclusion







Introduction
Definition
Security Challenges
Security Issues
Security Practices
Common Threats
Protecting Yourself
Sources

Al-Slamy, Nada. "E-Commerce security." IJCSNS International Journal of Computer Science
and Network Security 8.5 (2008): 5. Print.

Browning, Bob. "Electronic Commerce Tutorial Part 1 - Web Developer's Journal."
Web Developer's Journal - Tips on Web Page Design, HTML, Graphics and Development Tools.
N.p., n.d. Web. 26 Feb. 2010.
<http://webdevelopersjournal.com/columns/ecommerce1.html>.

Ghosh, Anup K.. "Journal of Internet Banking and Commerce." ARRAY Development.
N.p., n.d. Web. 26 Feb. 2010. <http://www.arraydev.com/commerce/JIBC/970404.htm>.

"Computer Laboratory Security Group: Banking security." The Computer Laboratory.
N.p., n.d. Web. 25 Feb. 2010.
<http://www.cl.cam.ac.uk/research/security/banking/>.