E-Commerce Security and Fraud Issues and Protections 10

E-Commerce Security and Fraud Issues and Protections 10

E-Commerce Security and Fraud Issues and Protections 10 C o n t e n t s Learning Objectives Opening Case: How State University of New York College at Old Westbury Upon completion of this chapter, you will be Controls Its Internet Use ...................................... 458 able to: 10.1 The Information Security Problem .......... 459 1. Understand the importance and scope of security of information systems for EC. 10.2 Basic E-Commerce Security Issues and Landscape ........................................... 465 2. Describe the major concepts and terminol- ogy of EC security. 10.3 Technical Malware Attack Methods: From Viruses to Denial of Service ............ 471 3. Understand about the major EC security threats, vulnerabilities, and technical attacks. 10.4 Nontechnical Methods: From Phishing to Spam and Fraud .................... 476 4. Understand Internet fraud, phishing, and spam. 10.5 The Information Assurance Model 5. Describe the information assurance security and Defense Strategy ................................. 484 principles. 10.6 The Defense I: Access Control, 6. Identify and assess major technologies Encryption, and PKI ................................. 488 and methods for securing EC access and 10.7 The Defense II: Securing communications. E-Commerce Networks ............................. 494 7. Describe the major technologies for protec- 10.8 The Defense III: General Controls, tion of EC networks. Spam, Pop Ups, Fraud, and Social 8. Describe various types of controls and special Engineering Controls................................. 497 defense mechanisms. 10.9 Implementing Enterprisewide 9. Describe consumer and seller protection from E-Commerce Security ............................... 500 fraud. Managerial Issues.................................................. 504 10. Discuss enterprisewide implementation issues Closing Case: How One Bank Stopped Scams, for EC security. Spams, and Cybercriminals ................................. 509 11. Understand why it is so diffi cult to stop computer crimes. Electronic supplementary material The online version of this chapter (doi: 10.1007/978-3-319-10091-3_10 ) contains supplementary material, which is available to authorized users E. Turban et al., Electronic Commerce: A Managerial and Social Networks Perspective, 457 Springer Texts in Business and Economics, DOI 10.1007/978-3-319-10091-3_10, © Springer International Publishing Switzerland 2015 458 10 E-Commerce Security and Fraud Issues and Protections educational related activities sometimes inter- OPENING CASE: HOW STATE fered with classroom or research needs. UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE The Solution The State University of New York (SUNY) All students, faculty, and staff received a user ID College at Old Westbury ( oldwestbury.edu ) is a for computer utilization. Next, a new usage pol- relatively small U.S. university located in Long icy was implemented. This policy was communi- Island, New York. The college has 3,300 students cated to all users and was enforced by monitoring and 122 full-time faculty. Internet access is the usage for each ID, watching network traffi c, essential for both faculty and students. and performing behavioral analysis. The policy covered all users, all devices, and all types of usage, including mobile devices and The Problem the Internet. According to SUNY College at Old Westbury ( 2014 ), the policy states that users The College does not regulate the types of should not expect full privacy when it comes to devices people use in its network, such as lap- their e-mail messages or other online private tops, tablets, and smartphones, nor the purposes information, including Internet usage records for which the devices are used. Thus, students, and sets forth what information is collected by faculty, and networks are vulnerable to a variety the university. Given that the IDs identify the of security issues, many of which originate from type of users (e.g., student or faculty), manage- social media websites such as Facebook and ment was able to set priorities in allocating YouTube. The College encourages the use of bandwidth. social media as a collaborative, sharing, and Old Westbury is not alone in utilizing a policy learning environment. to control Internet usage. Social Media Governance Social media is also a leading target for mal- ( socialmediagovernance.com ) is a website that ware writers. With the large number of down- provides tools and instructions regarding the con- loads, social media has become an ideal place for trol of computing resources where social media is cybercriminals to insert viruses and hack into concerned. systems. Phishers use social engineering tech- niques to deceive users into clicking on, or down- loading, malware. The Results Because of the various devices used by the students and faculty, the College’s attempts to The new system monitors performance and auto- manage network security were unsuccessful. matically sends alerts to management when devi- Specifi cally, the attempt to use intelligent agents ations from the policy occur (e.g., excessive (which some students objected to having on their usage). Also, it conducts behavioral analysis and computers) as guards failed. reports behavioral changes of users. The College had computer-use policies in The users are contacted via e-mail and alerted place, but these were established in the past for to the problem. The system may even block the older computing environments. Since the old user’s access. In such an event, the user can go to policies were not effective, the university decided the student computer lab for problem resolution. to transform its old usage policy to meet the Bandwidth is controlled only when classes are needs of current technology. in session. Bandwidth usage was a problem due to the Sources : Based on Goodchild ( 2011 ), SUNY extensive downloading of videos by faculty ( 2014 ), and oldwestbury.edu (accessed May and students. The high level usage for non 2014). 10.1 The Information Security Problem 459 information systems. It is a very broad fi eld due to LESSONS LEARNED FROM THE CASE the many methods of attack as well as the many This case demonstrates two problems: pos- modes of defense. The attacks on and defenses for sible malware attacks and insuffi cient computers can affect individuals, organizations, bandwidth. Both problems can reduce the countries, or the entire Web. Computer security effectiveness of SUNY’s computerized aims to prevent, or at least minimize, the attacks. system, interfering with students’ learning We classify computer security into two catego- and faculty teaching and research. The ries: generic topics , relating to any information solution, in which the university can moni- system (e.g., encryption), and EC-related issues , tor when users are on the university net- such as buyers’ protection. Attacks on EC work, look for any unusual activity, and websites, identify theft of both individuals and take appropriate action if needed, demon- organizations, and a large variety of fraud strates one of the defense mechanisms used schemes, such as phishing, are described in this by an organization. The new polices con- chapter. fl ict with student privacy – a typical situa- Information security has been ranked consis- tion in security systems: the tighter the tently as one of the top management concerns in security, the less privacy and fl exibility the United States and many other countries. people have. In this chapter, we introduce Figure 10.1 illustrates the major topics cited in the broad battlefi eld between attacks on various studies as being the most important in information systems and the defense of information security. those systems. We also present the issues of fraud in e-commerce and strategies and policies available to organizations for The Status of Computer Security deploying security measures. in the United States Several private and government organizations try to assess the status of computer security in the United States annually. Notable is the annual CSI 10.1 THE INFORMATION report, which is described next. SECURITY PROBLEM No one really knows the true impact of online security breaches because, according to the Information security refers to a variety of activ- Computer Security Institute (CSI; gocsi.com ), ities and methods that protect information sys- 2010/2011 Computer Crime and Security Survey, tems, data, and procedures from any action only 27.5% of businesses report computer designed to destroy, modify, or degrade the sys- intrusions to legal authorities. The survey is avail- tems and their operations. In this chapter, we pro- able at scadahacker.com/library/Documents/ vide an overview of the generic information Insider_Threats/CSI%20-%202010-2011%20 security problems and solutions as they relate to Computer%20Crime%20and%20Security% EC and IT. In this section, we look at the nature 20Survey.pdf . Comprehensive annual security of the security problems, the magnitude of the surveys are published periodically by IBM, problems, and introduce some essential terminol- Symantec, and other organizations. ogy of information security. In addition to organizational security issues, there is also the issue of personal security. What Is EC Security? Personal Security Fraud on the Web is aimed mostly at individuals. Computer security in general refers to the protec- In addition, loose security may mean danger of tion of data, networks, computer programs, com- personal safety due to sex offenders who fi nd puter

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    62 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us