Introduction to E-Commerce

Introduction to E-Commerce

E-Commerce (Electronic Commerce) refers to the buying and selling of goods, services, and information over electronic networks, primarily the Internet.

Key Components of E-Commerce:

1. Online Stores / Marketplaces: Platforms like Amazon, Flipkart, eBay.
2. Electronic Payment Systems: Digital methods for transactions.
3. Supply Chain Management: Handling inventory, shipping, and logistics electronically.
4. Customer Interaction: Online support, reviews, and feedback systems.

Advantages:

• Global reach and accessibility
• Lower operational costs
• Quick transactions and real-time updates
• Personalized customer experience

Threats to E-Commerce

E-Commerce systems are vulnerable to various security threats that can affect business operations and customer trust:

1. Fraudulent Transactions: Unauthorized purchases using stolen payment information.
2. Phishing Attacks: Fake emails or websites tricking users into revealing sensitive data.
3. Data Breaches: Unauthorized access to customer databases, including personal and financial information.
4. Denial of Service (DoS) Attacks: Overloading e-commerce websites, making them unavailable to users.
5. Malware and Spyware: Infections that can steal data or disrupt services.
6. Identity Theft: Misuse of personal information for illegal activities.

Electronic Payment Systems (EPS)

Electronic payment systems enable secure, fast, and convenient financial transactions online.

Types of EPS:

1. e-Cash: Digital currency stored on electronic devices or smart cards; used for small transactions.
2. Credit/Debit Cards: Most common EPS for online purchases; require secure gateways.
3. E-Wallets / Mobile Payments: Services like Paytm, Google Pay, PhonePe.
4. Bank Transfers / Online Banking: Direct transfer of funds between accounts.

Security Measures:

• Secure Sockets Layer (SSL) for encrypted transactions
• Two-factor authentication (2FA)
• Tokenization and fraud detection systems

Digital Signature

A digital signature is a cryptographic method to verify the authenticity and integrity of digital messages or documents.

Key Points:

• Provides authentication: Confirms sender identity.
• Ensures integrity: Detects changes in the message.
• Provides non-repudiation: Prevents sender from denying sending the message.

Working:

1. Sender creates a message digest using a hash function.
2. Encrypts the digest with their private key (digital signature).
3. Receiver decrypts it with the sender’s public key and verifies the digest.

Cryptography

Cryptography is the science of securing information by transforming it into unreadable formats (encryption) and allowing authorized users to revert it (decryption).

Types of Cryptography:

1. Symmetric Key Cryptography: Same key for encryption and decryption (e.g., AES).
2. Asymmetric Key Cryptography: Uses public and private key pairs (e.g., RSA).
3. Hash Functions: Convert data into a fixed-size string (e.g., SHA-256) for integrity checks.

Applications in E-Commerce:

• Secure transactions
• Protecting customer data
• Digital signatures
• Secure storage of passwords

Developing Secure Information Systems

Developing a secure system ensures protection against threats, data breaches, and unauthorized access.

Best Practices:

1. Secure Software Development: Follow SDLC with security at each phase (secure coding, testing).
2. Encryption of Data: Protect data at rest and in transit.
3. Authentication & Authorization: Strong passwords, 2FA, role-based access.
4. Regular Updates & Patch Management: Prevent exploitation of vulnerabilities.
5. Firewalls and Intrusion Detection Systems (IDS): Protect against external attacks.
6. Security Policies & Awareness Training: Educate employees and users about best practices.

Summary Table

Topic	Key Points
E-Commerce	Buying/selling over the Internet; global reach, convenience
Threats to E-Commerce	Fraud, phishing, data breaches, DoS attacks, malware, identity theft
Electronic Payment Systems	e-Cash, credit/debit cards, e-wallets, bank transfers; secured by SSL & 2FA
Digital Signature	Verifies authenticity, integrity, non-repudiation using cryptography
Cryptography	Symmetric/asymmetric encryption, hashing; secures data & transactions
Developing Secure IS	Secure coding, encryption, access control, firewalls, IDS, employee training

Application Development Security

Application Development Security ensures that software is designed, developed, and deployed with security in mind to prevent vulnerabilities and attacks.

Key Principles:

1. Secure SDLC (Software Development Life Cycle): Integrate security at every phase: Planning → Requirements → Design → Development → Testing → Deployment → Maintenance
2. Input Validation: Prevents attacks like SQL injection, XSS (Cross-site scripting).
3. Authentication & Authorization: Secure login, session management, and role-based access.
4. Encryption: Protect sensitive data in transit and storage.
5. Regular Security Testing: Use penetration testing and code reviews to detect vulnerabilities.

Common Threats in Applications:

• Malware injection, buffer overflow, insecure APIs, poor session management.

Information Security Governance & Risk Management

a. Information Security Governance

• Definition: Framework of policies, procedures, and responsibilities to manage security within an organization.

Objectives:

• Align security with business goals
• Ensure compliance with laws and regulations
• Protect organizational assets and reputation

b. Risk Management

• Definition: Identifying, assessing, and mitigating risks to information and systems.

Process:

1. Identify Assets: Hardware, software, data, and personnel
2. Identify Threats & Vulnerabilities
3. Assess Risk: Probability × Impact
4. Implement Controls: Preventive, detective, corrective measures
5. Monitor & Review: Continuously evaluate security posture

Security Architecture & Design

Security architecture defines how security controls are integrated into IT systems and networks to protect against threats.

Key Principles:

1. Defense-in-Depth: Multiple layers of security (firewalls, IDS, encryption).
2. Least Privilege: Users and systems have only necessary access.
3. Segmentation & Isolation: Divide networks to limit breach impact.
4. Secure Design: Consider confidentiality, integrity, and availability from the beginning.

Components:

• Network security, application security, endpoint security, data protection, identity & access management.

Security Issues in Hardware, Data Storage & Downloadable Devices

a. Hardware Security

• Threats: Theft, tampering, unauthorized access.
• Measures: Locks, biometric access, device tracking, firmware security.

b. Data Storage Security

• Protect sensitive data on servers, databases, and cloud.
• Measures: Encryption, secure backups, access control, monitoring for unauthorized access.

c. Downloadable Devices (USB, external drives, etc.)

• Threats: Malware infection, data leakage.

Measures:

• Disable auto-run
• Scan devices before use
• Encrypt portable storage
• Use company-controlled devices only

Physical Security of IT Assets

Physical security ensures that IT resources are protected against theft, damage, or unauthorized access.

a. Access Control

• Restricts physical entry to authorized personnel.
• Methods: ID cards, biometric scanners, keypads, security guards.

b. CCTV Surveillance

• Monitors critical areas in real-time.
• Provides audit trail and deterrence against unauthorized activities.

c. Backup Security Measures

• Ensure backup data is safe and accessible during emergencies.

Measures:

• Offsite or cloud storage of backups
• Encryption of backup data
• Regular backup schedules and testing recovery procedures

Summary Table

Topic	Key Points
Application Development Security	Secure SDLC, input validation, authentication, encryption, security testing
Information Security Governance & Risk Management	Align security with business, compliance, risk identification, assessment, mitigation
Security Architecture & Design	Defense-in-depth, least privilege, segmentation, secure design
Security Issues in Hardware & Data Storage	Theft prevention, encryption, controlled access, malware prevention on devices
Physical Security of IT Assets	Access control (biometrics, cards), CCTV monitoring, secure backups (encrypted, offsite)