THREATS TO

E-COMMERCE

LALA LAJPAT RAI

COLLEGE

SY BAF 2010-2011
IT PROJECT
 PRESENTED BY
SHEEMA ANSARI 910458
MAHENOOR CHASMAWALA 910435
SAYALI NATEKAR 910422
NIKITA TAMKER 910430
SAYLEE GOREGONKAR 910408
HUMA ANSARI 910402
 CERTIFICATE
This is to certify that group no.1 of division SY.BAF
has satisfactorily completed the required assignment
in Information technology as per the course,during the
year 2010-2011

Date :_______________________

Signature:_____________________
 ACKNOWLEDGEMENT
we wish to express are sincere gratitude to PROF.MUNAVOR for providing
us an opportunity to do the project work on ”threats to e-commerce” This
project bears on imprint of many peoples. we also wish to express are
gratitude to are friends who rendered their help during the period of the
project work and for their kind co-operation to the completion of the project
work. Last but not least we wish to avail our self of this opportunity, express
a sense of gratitude and love to our beloved parents for their manual
support, strength, help and for everything.
 E-COMMERCE
Electronic commerce, commonly known as e-commerce or eCommerce,
consists of the buying and selling of products or services over electronic
systems such as the Internet and other computer networks. The amount of
trade conducted electronically has grown extraordinarily with widespread
Internet usage. The use of commerce is conducted in this way, spurring and
drawing on innovations in electronic funds transfer, supply chain
management, Internet marketing, online transaction processing, electronic
data interchange (EDI), inventory management systems, and automated data
collection systems. Modern electronic commerce typically uses the World
Wide Web at least at some point in the transaction's lifecycle, although it can
encompass a wider range of technologies such as e-mail as well.

HOW DOES E-COMMERCE WORK?

• Step 1: Getting connected

A person connects to the any online shopping website via the internet .He
then has to create an account with the respective site .He is then allowed to
use various facilities that the website has to provide.

• Step 2 :Shopping cart

Ecommerce shopping cart hosting allows a visitor to an ecommerce site to

collect a selection of merchandise over a period of time. The merchandise
could be services, digital downloads, or goods that the e-merchant will send or
have sent to the customer. The customer can add items to the cart, remove
items from the cart, and present the cart for checkout when he or she is ready
to initiate a transaction to pay for the items.

• Step 3: Details 

The customer is asked to fill in the billing (and shipping if different) details,
reply to any check out questions, provide any additional information,
optionally subscribe for the newsletter and select a payment method. 

• Step 4: Confirmation 

 The customer is asked to carefully review the details of her order and click
the "Proceed" button if all appears correct or the back button to return to the
previous page for corrections. 

• Step 5 : Payment 

 Details of the selected payment method are provided. If one of the credit card
options is selected as a payment method, the customer is automatically
transferred to the respective service provider in order to complete this step.
All ecommerce transactions take place on the bank servers used by the service
providers and we/you do not keep any credit card numbers or private
information about customers.

Once the order is completed, an email is sent to the customer and the
merchant, informing them about the details of the order: products, quantity,
price, billing/shipping details and any additional information.

• Step 6: warehouse and order fulfillment

The goods purchased by a customer is then send to the warehouse for safe
keeping until shipping order takes place. Finally the goods are then delivered
to the customer.

Things that can go wrong during such transactions:

• There can be risk faced by both the client and server

For eg -» Fraud , sever break-ins

• There can be risks to the users end

For eg -» Active content , privacy infringement etc.

• And risks to the website

For eg -»Ccybersquatting , denial-of-service attacks etc.

VARIOUS KINDS OF THREATS TO E-COMMERCE

1>Money Thefts

eCommerce services are about transactions, and transactions are very largely
driven by money. This attracts hackers, crackers and everyone with the
knowledge of exploiting loopholes in a system. Once a kink in the armor is
discovered, they feed the system(and users) with numerous bits of dubious
information to extract confidential data(phishing). This is particularly
dangerous as the data extracted may be that of credit card numbers, security
passwords, transaction details etc.

2> Identity thefts

Hackers often gain access to sensitive information like user accounts, user
details, addresses, confidential personal information etc. It is a significant
threat in view of the privileges one can avail with a false identity.

For instance, one can effortlessly login to an online shopping mart under a
stolen identity and make purchases worth thousands of dollars. He/she can
then have the order delivered to an address other than the one listed on the
records. One can easily see how those orders could be received by the
impostor without arousing suspicion. While the fraudsters gains, the original
account holder continues to pay the price until the offender is nabbed.

3> Modification

The altering of incoming or outgoing data for a particular Web site, whether
intentional or not. A particularly pernicious hazard since modification is
difficult to detect in large transmissions.

4>Unauthorized transactions
Any use of a Web site by someone without approval AND Unauthorized
disclosure - The viewing of data without the appropriate permissions.

5> Intellectual Property Threats

The Internet presents a tempting target for intellectual property threats.It has
become Very easy to reproduce an exact copy of anything found on the
Internet and as such pose threats to individual property.People are unaware
of copyright restrictions, and unwittingly infringe on them because Fair use
allows limited use of copyright material when certain conditions are met.

6>Cybersquatting

It is registering, selling or using a domain name with the intent of profiting

from the goodwill of someone else's trademark. It generally refers to the
practice of buying up domain names that use the names of existing businesses
with the intent to sell the names for a profit to those businesses.

For eg ->> .Hasbro is the famous game producer of the Monopoly board game,
which has been played by approximately 750 million people worldwide.
Habsro maintains to relevant web site, namely www.monopoly.com
and www.hasbro.com. However you can find sites with the
domain www.monopolybingo.com.

Another eg ->> Ford is the well known longstanding car company which needs
no introduction. Ford maintains a website atwww.ford.com. Ford owns
numerous trademark registrations for its FIESTA vehicle. Respondent is an
official Ford approved vendor. Respondent claims that it registered and
developed the domain name www.fiesta-armrest.com, www.fiesta-
armrest.net,www.fiestaarmrest.com, www.fiestaarmrest.net etc. Ultimately,
the Panel was not swayed by arguments presented by Respondent, and the
domains were ordered to be TRANSFERRED.

7> Data destruction

The accidental or malicious loss of data on a Web site and the interception of
data flowing from or to the Web site, whether this data be encrypted or not.

8>Interference

The derailing of a Web site by rerouting data intended for a site or

overloading a site with data not intended for it, thus crippling the server.

9>Repudiation

The denial on the part of a consumer or customer that an on-line order was
ever placed or the goods ever received.

10> Spam

It is flooding the Internet with many copies of the same message, in an

attempt to force the message on people who would not otherwise choose to
receive it. Most spam is commercial advertising, often for dubious product.

However in some cases, e-mail disguised as spam may actually be malicious in

nature and not intended to advertise a product or service at all. In theses
cases, senders devise a way to make e-mail look like spam in hopes that
recipients visit a Web site, where viruses may be downloaded onto their
computers. While not true spam, unsolicited e-mails do make malicious
intents harder to find.

11> website defacement 

A website defacement is an attack on a website that changes the visual

appearance of the site. These are typically the work of system crackers, who
break into a web server and replace the hostedwebsite with one of their own.
Sometimes, the Defacermakes fun of the system administrator for failing to
maintain server security. Most times, the defacement is harmless, however, it
can sometimes be used as a distraction to cover up more sinister actions such
as uploading malware.

For eg -> First Forensic Forum - a UK based association of computer security

professionals - has been hacked.F3.org's website was defaced with a message
poking fun at the association of computer forensic experts. The timing of the
defacement on Thursday was fortuitous (or well planned) since the
organisation is coming to the end of a two day conference.

The perpetrator of the attack posted a message taunting the organisation.

"The F3 For Security Hacked. What's Happened In The world. Thay Are No
Security Or What," S4udi-S3curity-T3rror writes.

Additional info<<
What are Hackers?
Technically, a hacker is someone who is enthusiastic about computer
programming and all things relating to the technical workings of a computer.
Under such a definition, I would gladly brand myself a hacker. However, most
people understand a hacker to be what is more accurately known as a
'cracker'

What are Crackers?

Crackers are people who try to gain unauthorized access to computers. This is
normally done through the use of a 'backdoor' program installed on your
machine. A lot of crackers also try to gain access to resources through the use
of password cracking software, which tries billions of passwords to find the
correct one for accessing a computer.

12> A denial-of-service attack (DoS attack)

Also known as  distributed denial-of-service attack (DDoS attack) is an

attempt to make a computer resource unavailable to its intended users--
prevent an Internet site or service from functioning efficiently or at all,
temporarily or indefinitely

A DoS attack can be perpetrated in a number of ways. The five basic types of
attack are:[citation needed]

1. Consumption of computational resources, such as bandwidth, disk

space, or processor time
2. Disruption of configuration information, such as routing information.
 3. Disruption of state information, such as unsolicited resetting of TCP
sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and
the victim so that they can no longer communicate adequately.

13> IP spoofing

An IP (Internet Protocol) address is the address that reveals the identity of

your Internet service provider and your personal Internet connection. The
address can be viewed during Internet browsing and in all of your
correspondences that you send. IP spoofing hides your IP address by creating
IP packets that contain bogus IP addresses in an effort to impersonate other
connections and hide your identity when you send information. IP spoofing is
a common method that is used by spammers and scammers to mislead others
on the origin of the information they send.

14>Hacking

It is gaining excess to personal information without once authorization.

15>Trojan

A Trojan horse, or Trojan, is malware that appears to perform a desirable

function for the user prior to run or install but instead facilitates unauthorized
access of the user's computer system. "It is a harmful piece of software that
looks legitimate. Users are typically tricked into loading and executing it on
their systems"

16>Virus

Aprogram fragment that is attached to a legitimate program with the intention

of infecting other program. It is hidden, self-replicating computer software,
usually malicious logic, that propagates by infecting.

17>worm
A computer program that can run independently, can propagate a complete
working version of itself onto other host on a network, and may consume
computer resources destructively.

18> Phishing

The act of sending an e-mail to a user falsely claiming to be an established

legitimate enterprise in an attempt to scam the user into surrendering private
information that will be used for identity theft. The e-mail directs the user to
visit a Web site where they are asked to update personal information, such as
passwords and credit card, social security, and bank account numbers, that
the legitimate organization already has. The Web site, however, is bogus and
set up only to steal the user??s information

For eg>> 1) Like any phishing e-mail, this tries to manipulate the recipient.
Because this message insists on the fact that this very attractive offer is only
available for a limited period of time, the victim is urged to log on to the site as
quickly as possible, by clicking on the link in the e-mail. In phishing e-mails,
the hypertext links are always rigged to redirect the victim to a fake Web site.
Here the links seems to be correct on first sight; in reality, it redirects the
victim to the site pinacle.co.uk and not to pinnacle.co.uk

If you receive an e-mail of this type:

 do not click on the link;

 do not copy it into your navigator;
 use your normal method to visit the Web site: if the offer really exists,
you will be able to find it on the site;
 if you do not find the offer, and you are suspicious, contact the
organisation by the regular methods.

2) PayPal phishing scams 

In the example below, this PayPal phishing scams tries to cheat recipients by
acting as a security alert. It claimed that someone 'from a foreign IP address
tried to login to recipient’s PayPal account and the e-mail inside include a link
that urges recipients clicking it to update and confirm their account details. By
clicking the link actually directs the recipient to the attacker’s website.
WAYS TO PREVENT THREATS

>Authentication

Most notable are the advances in identification and elimination of non-

genuine users. Ecommerce service designers now use multi-level
identification protocols like security questions, encrypted
passwords(Encryption), biometrics and others to confirm the identity of their
customers. These steps have found wide favor all around due to their
effectiveness in weeding out unwelcome access.

>Intrusion Check

The issue of tackling viruses and their like has also seen rapid development
with anti-virus vendors releasing strong anti-viruses. These are developed by
expert programmers who are a notch above the hackers and crackers
themselves.

Firewalls are another common way of implementing security measures. These

programs restrict access to and from the system to pre-checked users/access
points.

>Educating Users

eCommerce is run primarily by users. Thus, eCommerce service providers

have also turned to educating users about safe practices that make the entire
operation trouble free. Recent issues like phishing have been tackled to a good
extent by informing genuine users of the perils of publishing their confidential
information to unauthorized information seekers.
>Patents

A patent is a document issued by agovernment office, which describes the

invention and creates a legal situation inwhich the patented invention can
only be exploited (altered, used or sold) by, orwith the authorization of, the
patentee.

>Trademarks

Trademarks are signs used to distinguish phenomena such as goods, services,

andorganizations from other phenomena of a similar nature

>Digital Rights Management (DRM)

DRM is built on a technology to authorize and track the use of digital files,
whereverthey are used.>

CASE STUDY

1

Facts :

Two BPO employee gained illegal access to their company’s computer system
by hacking with the passwords. They conspired with the son of a credit card
holder and illegally increased the credit limit of the card and changed the
communication address so that credit statement never reach the original card
holder. The credit card company was cheated by Rs.7.2 lakhs.

Investigation by police:

The computer system of the BPO company were examined along with the
computer logs showing the access to the computer system by the accused. The
presence of accused was also verified with the attendance register.

Action :
Charges framed u/s 120(B), 420,467,468,471 IPC and sec.66 of IT act
{imprisonment upto  six months, or with fine or with both}

2

Facts :

24-year-old Nadeem hamid employee of HSBC allegedly accessed personal

information, security information and debit card information of some
customer and these details were passed on to the fraudsters who diverted
approx. RS.2 crores form the clients accounts.

Action :

A case has been registered under sec. 66 and sec.72 of the IT Act and 408, 420
of the indian penal code.{shall be punished with imprisonment of either
description for a term which may extend to seven years, and shall also be
liable to fine}