1. Major Threats.
Interest in e-commerce is growing and continues to grow. Russian companies are trying to catch up with foreign colleagues in terms of sales volumes. Seminars and conferences on e-commerce are held, articles and reviews are written. Special attention is paid to the security and protection of electronic transactions. It is important for companies to trust the user to electronic transactions. Let’s briefly consider the stages of purchasing products and services via the Internet.
The customer chooses a product or service through the e-shop server and places an order.
The order is entered into the database of store orders. The availability of the product or service is checked via the central database. If the product is not available, the customer receives a notification about it. Depending on the type of store, the product request can be redirected to another warehouse. If a product or service is available, the customer confirms payment and the order is placed in the database. The eShop sends an order confirmation to the customer. In most cases, there is a single database for orders and availability checks. The customer pays for the order online. The goods are delivered to the customer.
Let’s consider the main threats that await the company at all stages. Substitution of Web-server page of the electronic store. The main way of implementation – redirecting user requests to another server. It is spent by the replacement of records in tables of DNS-servers or in tables of routers. This is especially dangerous when the customer enters his credit card number. Creation of false orders and fraud by e-shop employees. The penetration of the database and change of order processing procedures allows illegal manipulation of the database.
According to statistics, more than half of all computer incidents are related to their own employees. Interception of data transmitted through the e-commerce system. Interception of the customer’s credit card information is particularly dangerous. Penetration into the internal network of the company and compromise of electronic store components. Implementation of “denial of service” attacks and malfunctioning or disabling of the e-commerce node.
As a result of all these threats, the company loses the trust of customers and loses money from imperfect transactions. In some cases, the company may be sued for credit card number disclosure. In the event of a denial of service attack, time and material resources are spent on equipment replacement to restore operability. Data interception does not depend on the software and hardware used. This is due to the unprotected version of the IP (v4) protocol. The solution to the problem is to use cryptographic tools or switch to the sixth version of the IP protocol. In both cases, there are problems. In the first case, the use of cryptography must be licensed by the relevant office. In the second case, there are organizational problems. Several other threats are possible. Violation of the availability of e-commerce nodes and improper adjustment of the software and hardware of the e-commerce store.
2. Methods of Protection.
All this indicates the need for comprehensive protection. Real protection is often limited to the use of cryptography (40-bit version of the SSL protocol) to protect the information between the client’s browser and the e-shop server and the filter on the router.
The complex system of protection should be constructed taking into account four levels of any information system. The level of application software responsible for interaction with the user. Examples of elements of this level are text editor WinWord, Excel spreadsheet editor, Outlook mail program, Internet Explorer browser. Shopify reports will bring to you all the up to date statistics.
Database management system (DBMS) level responsible for storing and processing information system data. DBMS Oracle, MS SQL Server, Sybase, and MS Access are examples of elements of this level. The operating system (OS) level is responsible for DBMS and application software maintenance. Examples are MS Windows NT, Sun Solaris, Novell Netware. Network-level is responsible for the interaction of information system nodes. Examples are TCP/IP, IPS/SPX and SMB/NetBIOS protocols.
3. Encryption and Digital Signature.
With the help of encryption, the sender of a message converts it from a simple message into a set of characters that cannot be read without the use of a special key known to the recipient. The recipient of the message, using the key, converts the character set passed to him back into text. Usually, encryption algorithms are known and are not a secret. Confidentiality of transfer and storage of the ciphered information is provided at the expense of confidentiality of a key. The degree of security depends on the encryption algorithm and the length of the key measured in bits. The longer the key is, the better the security is, but the more calculations are needed to encrypt and decrypt the data.
The main types of encryption algorithms are symmetric and asymmetric. Symmetric encryption methods are convenient in that to ensure a high level of security of data transfer it is not necessary to create long keys. This allows you to quickly encrypt and decrypt large amounts of information. At the same time, both the sender and the recipient of the information share the same key, making it impossible to authenticate the sender. In addition, in order to start using a symmetric algorithm, the parties need to safely exchange the secret key, which is easy to do when meeting in person, but very difficult when necessary to pass the key through any means of communication. The scheme of work with the use of a symmetric encryption algorithm consists of the following steps. The parties shall install software on their computers that provide encryption and decryption of data and primary generation of secret keys.