E-Commerce Security Threats
When using e-commerce services, there is constantly a threat into whether or not the data is actually safe. It is important to have strong security for both the customer and company to help ensure that the data is as safe as possible. Data maybe intercepted whilst in transmission or in fact stolen from the e-commerce hosts (such as Ebuyer).
As a result, a wide range of things can happen with the data such as perhaps using the customer details to “spam” them to even people using their credit card details to buy items without the card holder’s permission.
The Customer’s Side:
Security really starts with the customer. If they want to help make sure that their data is safe then they must first help protect it. A big threat to customer data are “key loggers” (as pictured). These devices plug into the back of the customers computer keyboard port (via a PS/2 or even USB port) and the key logger stores all the keys as keystrokes that the person has typed. As a result, someone could obtain very confidential information from the key logger such as the person’s credit card details or their Ebuyer login credentials. This is a very rare form of collecting data inside a controlled environment such as the home; however it is far more common in public environment areas such as internet cafés. The only real defence that the customer has it to just check where the keyboard is plugged in and see if there is a key logger or not.
Ebuyer on the other hand cannot really tell if someone’s details have been stolen or not. However, Ebuyer can tell if there is weird activity occurring such as sudden mass orders under the customers account. This may lead Ebuyer investigating the matter which could result in them finding out that the customer's account details have been stolen.
The Company’s Side:
Ebuyer operates by holding the customers details for as little time as possible. This means that as soon as the customer’s important details such as credit card information go to Ebuyer, they immediately get taken off the Ebuyer servers and sent onto the credit card company. Not having the customer's important data stored on the server means that if a hacker obtains access to Ebuyer’s servers then all the hacker will be able to find is simply the customer’s name, not any destructive data such as credit card details.
Another security measure taken by Ebuyer is ensuring that the customer’s data is safe before it even reaches Ebuyer. Once the customer sends their details off, then Ebuyer must ensure that the customer’s data reaches them as safe as possible. To help ensure this, Ebuyer use an SSL 128-bit encryption (as pictured). Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the internet for such things as web browsing, e-mail, internet faxing, and other data transfers. Using SSL encryption means that the customer’s data can reach Ebuyer as safe as possible and minimise the risk of the data being intercepted in “cyber space” before it reaches Ebuyer. Ebuyer use the encryption in all areas of their website which requires customers to enter any of their details (i.e. the user login page).
Other measures that Ebuyer take to help secure the customer’s data is using firewalls to help ensure that no one from “outside” the company can obtain any of the stored customers information.
Along side using software and hardware to protect data, Ebuyer also use physical security as well. They use key combinations on all of its server rooms as well as storing the backed-up data in secure fireproof safes.
Risk Assessment:
The following is a risk assessment conducted myself about various security threats. The ratings work by 5 star being very likely/preventable and 1 star being not very likely/preventable.
Customer:
Trojans and system monitors
Likelihood:
Preventability:
Danger to Customer:
Phishing
Likelihood:
Preventability:
Danger to Customer:
Being physically asked to “give the data”
Likelihood:
Preventability:
Danger to Customer:
Company:
Trojans and system monitors
Likelihood:
Preventability:
Danger to Company:
E-Fraud - Hacking the account to view/edit bank information
Likelihood:
Preventability:
Danger to Company:
Sabotage by an employee
Likelihood:
Preventability:
Danger to Company:
Based on these findings, I would rate that trojans and system monitors pose the biggest security threats for customers. If someone installs say a key logger on a customer's computer, not only could they potentially obtain e-commerce website logins but other private customer data. Also, key loggers are extremely hard to prevent compared to trojans as no software would be able to detect and disable them. Obtaining customers private data could lead to no only gaining access to bank accounts but possibily even identity theft. Having said this though, more and more internet cafés are recognising this risks trojans and system monitors pose and thus monitoring users more closely and installing CCTV.
As well as these illegal activities, there are ways that e-commerce companies such as e-buyer can monitor “unusual” behaviour by users thus more likely to prevent major damage. As I recently learnt from Mr. David Price, CEO of Cosy Feet Ltd, online companies can look through buying records for unusual activity. I was given the example of a user pretending to be an elderly woman buying very large shoes, not a common thing. From here, Cosy Feet could contact the user asking further inquisitive questions. Another example was people ordering mass amounts of items. Cosy Feet had a policy were by they would contact anyone trying to do so as this could be a sign of suspicious activity. Credit card companies also investigate unusual activity on people cards. A way that credit card companies can detect unusual behaviour is that often un-authorised users to the credit card will use it to by small items such as mobile photo credit very often to test if the card is still active. The card companies notice that this is often sign that an un-authorised user has obtained the card details and contact the card hold immediately inquiring into this behaviour.
These same principles can be applied to Ebuyer. I myself don’t know what Ebuyer’s policies exactly are on suspicious user behaviour but I would well imagine that like Cosy Feet, they would monitor all orders closely and any unusual behaviour would be investigated with further. This is a modern way of tackling e-crime before it can cause any major damage.
Government Involvement:
To help protect any customer’s data using an e-commerce website, the government have started to setup laws in aid of protecting all online customer data. Big laws that help the protection of customer data include:
Data Protection Act 1984 (updated 1998)
The data protection act provides a legal basis and allowing for the privacy and protection of data to individuals in the UK. The act places restrictions on organisations which collect or hold data which can identify a living person Data collected by any person or organisation may only be used for the specific purposes for which they were collected. Personal data may only be kept for an appropriate length of time and must not be disclosed to other parties without the consent of the data owner. The act is overseen by an independent government authority, the Office of the Information Commissioner. Persons and organisations which store personal data must register with the Information Commissioner.
Computer Misuse Act 1990
The computer misuse act enables the protection of computer data by not allowing such crimes as “unauthorised access to computer material”. This would mean that someone could be charged and convicted under the computer misuse act for “hacking” into a system.
Distance Selling
The Consumer Protection (Distance Selling) Regulations 2000 (the "Regulations") came into force in the UK on 31st October 2000. The law helps protect customers from other companies “spamming” them.
However, are all these new rules and regulations preventing crime? Well, the short answer is no. On the 10th January 2007 it was revealed that almost a third of UK businesses are flouting data protection and privacy laws.
It does seem apparent that no matter what protection, be it a piece of software or a law, there will always be someone who will break these barriers and obtain someone’s data. Many techno-phobes even use this as an excuse never to use a PC and they argue that their data once on the computer is “never safe”.
In the past few years on the other hand, the government has become far more aware to the importance of customer data being secure over the internet. Maybe in due course all the laws and regulations may simply put people off trying to get the customer's data?