Page 325 - Introduction to Electronic Commerce and Social Commerce
P. 325
312 10 E-Commerce Security and Fraud Issues and Protections
SECTION 10.4 REVIEW QUESTIONS Authentication, Authorization,
and Nonrepudiation
1. Define phishing.
2. Describe the relationship of phishing to financial fraud. Three concepts are related to the IA model: authentication,
3. Briefly describe some phishing tactics. authorization, and nonrepudiation. These important concepts
4. Describe spam and its methods. are:
5. Define splogs and explain how sploggers make money.
6. Why and how are social networks being attacked?
7. Describe data breaches (data leaks). • Authentication is a security measure making sure
that data information, ECD participants and trans-
actions, and all other EC related objects are valid.
Authentication requires verification. For example, a
10.5 THE INFORMATION ASSURANCE person can be authenticated by something he knows
MODEL AND DEFENSE STRATEGY (e.g., a password), something he possesses (e.g., an
entry token), or something unique to that person
The Information Assurance (IA) model, known as the CIA (e.g., a fingerprint).
security triad, is a point of reference used to identify problem • Authorization requires comparing information pro-
areas and evaluate the information security of an organization. vided by a person or a program during a login with
The use of the model includes three necessary attributes: con- stored information associated with the access
fidentiality, integrity, and availability. This model is described requested.
next. (For a discussion, see whatis.techtarget.com/defini- • Nonrepudiation is the concept of ensuring that a party
tion/Confidentiality-integrity-and-availability-CIA.) in an EC transaction cannot repudiate (or refute) the
Note: The assurance model can be adapted to several EC validity of an EC contract and that she or he will fulfill
applications. For example, securing the supply chain is critical. their obligation in the transactions. According to the
National Information Systems Security (INFOSEC)’s
glossary, nonrepudiation is the “[a]ssurance the sender
Confidentiality, Integrity, and Availability of data is provided with proof of delivery and the recip-
ient is provided with proof of the sender’s identity, so
The success and security of EC can be measured by these that neither can later deny having processed the data.”
attributes:
Note: See the list of Key Terms in Section 10.2. Some
sources list more concepts (e.g., Techopedia).
To assure these attributes, e-commerce applies technolo-
1. Confidentiality is the assurance of data secrecy and gies such as encryption, digital signature, and certification.
privacy. Namely, the data is disclosed only to autho- For example, the use of a digital signature makes it difficult
rized people. Confidentiality is achieved by using for people to deny their involvement in an EC transaction.
several methods, such as encryption and passwords. In e-commerce, new or improved methods to ensure the
2. Integrity is the assurance that data are accurate and confidentiality of credit card numbers, the integrity of tran-
that they cannot be altered. The integrity attribute saction- related messages, the authentication of buyers and
needs to be able to detect and prevent the unauthor- sellers, and nonrepudiation of transactions need to be con-
ized creation, modification, or deletion of data or stantly updated as older methods become obsolete.
messages in transit.
3. Availability is the assurance that access to any rele-
vant data, information websites, or other EC services E-Commerce Security Strategy
and their use is available in real time, whenever and
wherever needed. The information must be reliable. EC security needs to address the IA model and its components.
In Figure 10.7, an EC security framework that defines the high-
