Online Security

THE NEED

Based on a survey by Symantec

Number of Adults exposed to Cyber Crimes in 2010-11 = 431 Million Number of Adults exposed to Cyber Crimes Daily = More than 1 Million Number of Adults exposed to Cyber Crimes Per Second = 14 69% people have been victims of Cyber Crimes Increase in mobile vulnerability by 42%

Cost of Cyber Crime Apathy

Cost of ineffective online security by online adults in 24 countries in 2011=USD 338 Billion 114 Billion Directly lost by victims 274 Billion - Victims valued at the time they lost to cyber crimes The global black market in marijuana, cocaine and heroin combined ($288bn) and approaching the value of all global drug trafficking ($411bn) The 2011 bill for cybercrime is more than 100 times the global annual expenditure of UNICEF ($3.65bn)

o o

Situation in India

In 2011, 1791 Cyber crime cases were registered with the National Crime Records Bureau (NCRB)
% out of 1791 cases with NCRB Rajasthan Karnataka Kerela Maharashtra Andhra Pradesh 7%

8.40%
13.70% 17.10% 19.50%

In 2011, cases registered under the Indian Penal Code = 422 18.5% more than those registered in 2010 (356)
Percentage of registered cases

Delhi

11.6

Chattisgarh

18

Maharashtra

20.6

53 mega cities have reported 858 cases under the IT Act 2000, 147% higher than that in 2009 (347)

Percentage of cases registered under IT Act 2000

Delhi Hyderabad Jaipur Pune Vishakhapatnam Bangalore 10 13.4 15.2 16.6 21.4 23.4

Need to remove Apathy

Percentage

Victims of cybercrime

15%

Victims of cybercrime

44%

According to the (Amended) IT Act 2008, Cert-In (Indian Computer Emergency Response Team) is designated to serve as the national agency for cyber security. Cert-Ins 2010 Annual report claims 6.9 million bot-infected systems 14348 website defacements Between January-September 2011 6850 .in and 4150 .com domains were defaced Norton cybercrime report says 30 million people were cyber crime victims in 2010, 4 billion direct financial losses and 3.6 billion in time spent in solving the cases.

India is the 3rd most targeted country for Phishing attacks

People in India need to step forward with their complaints as the number of cyber crime victims far outweigh the registered cases

The E-Commerce Security Environment

Source of information Internet Crime Complaint Center (IC3)

- A partnership between the National White Collar Crime Center and the Federal bureau of Investigation.

The Computer Security Institutes Security product provider

Security Threats in the E-commerce Environment

Three key points of vulnerability: Client Server Communications channel Most common threats: Malicious code Hacking and cyber vandalism Credit card fraud/theft Spoofing Denial of service attacks Sniffing Insider jobs

A Typical E-commerce Transaction

Vulnerable Points in an E-commerce Environment

Malicious Code

Viruses: computer program that as ability to replicate and spread to other files; most also deliver a payload of some sort (may be destructive or benign); include macro viruses, file-infecting viruses and script viruses Worms: designed to spread from computer to computer Trojan horse: appears to be benign, but then does something other than expected

Bad applets (malicious mobile code): malicious Java applets or ActiveX controls that may be downloaded onto client and activated merely by surfing to a Web site

Hacking and Cybervandalism

Hacker: Individual who intends to gain unauthorized access to a computer systems Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably) Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site Types of hackers include: White hats Members of tiger teams used by corporate security departments to test their own security measures Black hats Act with the intention of causing harm Grey hats Believe they are pursuing some greater good by breaking in and revealing system flaws

Credit Card Fraud

Fear that credit card information will be stolen deters online purchases Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity One solution: New identity verification mechanisms

Insight on Society: E-Signatures Bane or Boon to E-commerce?

Electronic Signatures in Global and National Commerce Act (E-Sign Law): Went into effect October 2001 Gives as much legal weight to electronic signature as to traditional version Thus far not much impact Companies such as Silanis and others still moving ahead with new esignature options

Spoofing, DoS and dDoS Attacks, Sniffing, Insider Jobs

Spoofing: Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else Denial of service (DoS) attack: Hackers flood Web site with useless traffic to inundate and overwhelm network Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target network from numerous launch points Sniffing: type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network Insider jobs:single largest financial threat

TWO LINES OF DEFENSE:

TECHNOLOGY SOLUTIONS POLICY SOLUTIONS

Technology Solutions

Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver.

Purpose of Encryption:

Secure stored information Secure information transmission

Encryption provides four key dimensions of e-commerce security:

Message integrity Nonrepudiation Authentication Confidentiality

1.

Symmetric Key Encryption: Both the sender and the receiver use the same key to encrypt and decrypt the message. Used extensively throughout world war Ancient means of encryption can be broken quickly in the digital age. Symmetric key encryption requires both the parties share the same key. In commercial use, secret key for transaction with every party is required.

Common flaws in early methods of encryption:

2. Public Key Encryption: Solves the problem of exchanging keys. Two mathematically related digital keys are used:

Private key: Kept secret by the owner

Public key: Widely disseminated.

Drawbacks of public key encryption:

No authentication of the sender No assurance the message was altered in transit Potential lack of integrity in the system

3. PKE using Digital Signatures and Hash Digests

Hash Function: Algorithm that produces a fixed-length number called a hash or message digest. Digital Signature: signed cipher text that can be sent over the internet.

4. Digital Envelopes: A technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key 5. Digital certificates: digital document issued by a certification authority that contains the name of the subject, company , the subjects public key, a digital certificate serial number and other identifying information. 6. Public Key Infrastructure: refers to the CAs and digital certificate procedures that are accepted by all parties.

Methods of securing communication channels

Secure Sockets Layer(SSL): Provides data encryption, server authentication, optional client authentication and message integrity for TCP/IP connections. Secure Hypertext transfer Protocol(S-HTTP): A secure message-oriented communications protocol designed for use in conjunction with HTTP.
Virtual private networks: Allows remote users to securely access internal networks via the internet, using the point-to-point tuneling protocol.

Protecting Networks:

Firewall: Refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy. Proxy servers: Software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization.

Protecting Servers and Clients

Operating System Security enhancements: Automatic computer security upgrades provided by the Microsoft Windows and Apples OS. Anti-virus Software: Inexpensive tools to identify and eradicate the most common types of malicious codes. E.g: McAfee, Symantec etc.

Online Gateway

A payment gateway is an e-commerce application service provider service that authorizes payments for
e-businesses online retailers

bricks and clicks, or

traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets.

Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.

How Payment Gateway Works?

Dimensions of E-Commerce Security

Integrity Nonrepudiation

Authenticity
Confidentiality Privacy Availability

.Thank you
Siddhart Lahoti Yash Ambegaokar Abhinav Rege Anuj Dayama Ankit Gupta