Page 338 - Introduction to Electronic Commerce and Social Commerce
P. 338
Summary 325
software and systems expertise are used to attack net- 8. Fraud on the Internet and how to protect consumers
works, databases, or programs. DoS attacks bring opera- and sellers against it. Protection is needed because
tions to a halt by sending a flood of data to target specific there is no face-to-face contact between buyers and sell-
computers and websites. Malicious code attacks include ers; there is a great possibility of fraud; there are insuf-
viruses, worms, Trojan horses, or some combination of ficient legal constraints; and new issues and scams
these. Over the past few years, new malware trends have appear constantly. Several organizations, private and
emerged, such as Blackhole and ZeroAccess (see Wang public, attempt to provide the protection needed to build
2013). The new trends include an increase in the speed the trust that is essential for the success of widespread
and volume of new attack methods; and the shorter time EC. Of note are electronic contracts (including digital
between the discovery of a vulnerability and the release signatures), the control of gambling, and what taxes
of an attack (to exploit the vulnerability). Finally, the should be paid to whom on interstate, intrastate, and
new trends include the growing use of bots to launch international transactions. The practice of no sales tax
attacks; an increase in attacks on mobile systems, social on the Internet is changing. States are starting to collect
networks, and Web applications; and a shift to profit- sales tax on Internet transactions.
motivated attacks. Many procedures are used to protect consumers. In
4. Internet fraud, phishing, and spam. A large variety of addition to legislation, the FTC tries to educate consum-
Internet crimes exist. Notable are identify theft and mis- ers so they know the major scams. The use of seals on
use, stock market frauds, get-rich-quick scams, and sites (such as TRUSTe) can help, as well as tips and
phishing. Phishing attempts to obtain valuable informa- measures taken by vendors. Sellers can be cheated by
tion from people by masquerading as a trustworthy buyers, by other sellers, or by criminals. Protective mea-
entity. Personal information is extracted from people (or sures include using contacts and encryption (PKI) keep-
stolen) and sold to criminals, who use it to commit ing databases of past criminals, sharing information
financial crimes such as transferring money to their own with other sellers, educating employees, and using arti-
accounts. A related area is the use of unsolicited adver- ficial intelligence software.
tising or sales via spam. Given the large number of ways to commit Internet
5. Information assurance. The information assurance model fraud, it is difficult to protect against all of them. Fraud
represents a process for managing the protection of data protection is done by companies, security vendors, govern-
and computer systems by ensuring their confidentiality, ment regulations, and perhaps most important, consumer
integrity, and availability. Confidentiality is the assurance education. Knowing the most common methods used by
of data privacy. Integrity is the assurance that data is accu- criminals is the first step of defense. Remember, most
rate or that a message has not been altered. Availability is criminals are very experienced. They are able to invest
the assurance that access to data, the website, or EC sys- in new and clever attack methods.
tems and applications is available, reliable, and restricted 9. Enterprisewide EC security. EC security procedures are
to authorized users whenever they need it. inconvenient, expensive, tedious, and never ending.
6. Securing EC access control and communications. In Implementing a defensive in-depth model that views EC
EC, issues of communication among trading partners security as a combination of commitment, people, pro-
are paramount. In many cases, EC partners do not know cesses, and technology is essential. An effective program
their counterparts, so they need secured communication starts with senior management’s commitment and budget-
and trust building. Trust starts with the authentication of ing support. This sets the tone that EC security is impor-
the parties involved in a transaction; that is, identifying tant to the organization. Other components are security
the parties in a transaction along with the actions they policies and training. Security procedures must be clearly
are authorized to perform. Authentication can be estab- defined. Positive incentives for compliance can help, and
lished with something one knows (e.g., a password), negative consequences need to be enforced for violations.
something one has (e.g., an entry card), or some physical The last stage is the deployment of hardware and soft-
characteristic (e.g., a fingerprint). Biometric systems can ware tools based on the policies and procedures defined
confirm a person’s identity. Fingerprint scanners, iris scan- by the management team.
ners, facial recognition, and voice recognition are exam- 10. Why is it so difficult to stop computer crimes? Respon-
ples of biometric systems. sibility or blame for cybercrimes can be placed on crimi-
7. The different controls and special defense mechanisms. nals, victimized people, and organizations. Online shoppers
The major controls are general (including physical, access fail to take necessary precautions to avoid becoming vic-
controls, biometrics, administrative controls, application tims. Security system designs and architectures are still
controls, and internal controls for security and compli- incredibly vulnerable. Organizations may fail to exercise
ance). Each type has several variations. due care in business or hiring and practices, opening the
