Đang tải... (xem toàn văn)
Ecommerce is the activity of buying or selling of products on online services or over the Internet. Electronic commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems.
Table of Contents I)Abstract ……………………………………………………………………….01 Introduction ……………………………………………………………….02 The Threats to E-Commerce…………………………………………… 03 3.Privacy Issues……………………………………………………………….06 4.The Distributed Denial of Service Attacks (DDOS)…………………… 09 Conclusions……………………………………………………………… 12 II) WHY WEB SECURITY IS IMPORTANT? 20 1.LIST OF TYPES OF CYBER ATTACKS……………………………… 22 2.PHYSICAL SECURITY FOR SERVERS……………………………… 24 3.Protecting Computer Hardware ………………………………………… 28 4.Protecting Your Data……………………………………………………….30 5.ABOUT SSL…………………………………………………………………35 6.What Does SSL Really Protect? 38 III) E-COMMERCE WEBSITE SECURITY ISSUES…………………… 39 1.Privacy………………………………………………………………… .40 2.Integrity, Authentication & Non-Repudiation……………………… 41 3.Technical Attacks………………………………………………………… 43 4.Non-Technical Attacks…………………………………………………… 43 5.Conclusion………………………………………………………………… 44 6.15 Ways to Protect Your Ecommerce Site From Hacking and Fraud……………….46 IV) SECURITY THREATS OF E-COMMERCE…………………………….51 1.What is an e-commerce threat? 51 2.Distributed Denial of Service or DDoS Attacks……………………………55 3.Man in the Middle Attacks………………………………………………….59 V) E-COMMERCE: SECURITY AND PRIVACY………………………… 60 *INTRODUCTION……………………………………………………………60 1.What is Security in E-Commerce ? 61 PUBLIC CONCERNS REGARDING E-COMMERCE…………………64 3.Privacy in E-Commerce…………………………………………………… 66 3.1 Main factors of distrust – security and privacy………………………69 3.2 Contradictory feelings about privacy…………………………………70 PRIVACY ISSUES………………………………………………………….71 E-commerce Security Tips………………………………………………….77 GUIDELINES FOR COMPANIES……………………………………… 83 7.Conclusion……………………………………………………………………85 Reference…………………………………………………………………………86 I)Abstract Without trust, most prudent business operators and clients may decide to forgo use of the Internet and revert back to traditional methods of doing business To counter this trend, the issues of network security at the ecommerce and customer sites must be constantly reviewed and appropriate countermeasures devised These security measures must be implemented so that they not inhibit or dissuade the intended e-commerce operation This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy These threats originate from both hackers as well as the ecommerce site itself A straightforward comparison could be made of the security weaknesses in the postal system vs security weaknesses on the Net The vulnerable spots in both cases are at the endpoints – the customer’s computer/network and the business’ servers/network Information flowing in the conduit (trucks/planes and wires) is relatively immune to everyday break-ins Privacy issues are amongst the major drivers for improved network security along with the elimination of theft, fraud and vandalism Two major threats to customer privacy and confidence come from sources both hostile to the environment as well as sources seemingly friendly Coordinated attacks on Yahoo, eBay, ZDNet, Buy.com (on their IPO day) and amazon.com generated a huge amount of publicity and a federal government response A brief description of these attacks will be given in this paper Another threat may originate at ostensibly friendly companies such as DoubleClick, MemberWorks and similar firms that collect customer information and route it to other firms Much of this transaction information is able to be associated with a specific person making these seemingly friendly actions potential threats to consumer privacy Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities These methods and techniques can be useful in a variety of client and server environments, also serving to alert ecommerce users of potential threats Introduction The eradication of trust in Internet commerce applications may cause prudent business operators and clients to forgo use of the Internet for now and revert back to traditional methods of doing business This loss of trust is being fueled by continued stories of hacker attacks on e-commerce sites and consumer data privacy abuse Hackers demanding a ransom from an ecommerce site for not publishing customer credit card information have increased the visibility of the network security weaknesses in most business institutions The conflict between convenience and ease-of-use vs security has always been resolved in favor of convenience However, recent virus attacks against Microsoft Outlook (The NIMDA, Code Red worms, the "ILOVEYOU", "Resume" and KAK viruses) have demonstrated that convenience allows the rapid proliferation of viruses and worms throughout the Internet Microsoft released a patch that disabled the feature that allows the “ILOVEYOU” virus to work This is the first time a software vendor has released a patch that restricted a feature Further, the success of the Distributed Denial of Service (DDOS) attacks against major e-commerce sites pointed out the importance of maintaining adequate security at sites not even remotely associated with the targeted e-commerce sites Not all of this is bad news The majority of security breaches on the Internet occur at the endpoints, i.e., the local network, rather than the main "backbone" of the Internet This situation allows us to make a comparison of the security weaknesses in the postal system and the Internet The most vulnerable spots of the postal infrastructure are at the endpoints: the mailboxes at the sender and recipient sites An example of abuse in the postal system was reported in a Roanoke Times newspaper reprint of a Los Angeles Times article that describes a thief stealing postal mail from mailboxes The thieves were stealing bills, paychecks and other consumer identity related mail from the victim’s home mailboxes or from the postal system’s street mailboxes This type of security breach happens much more often than one in which a thief steals directly from inside a post office Security standards, controls and practices have been developed within the main trunks of the postal infrastructure to monitor and hopefully prevent mail interception or tampering when the letter is in the system Similar controls are in place at the equivalent Internet network level Controls at the endpoints on the other hand vary widely from very good (usually at the originating business) to non-existent (usually at the home computer) Consumer privacy is becoming the most publicized security issue replacing theft and fraud as top concerns in e-commerce The DDOS attacks demonstrated that business sites did not maintain adequate security protection and intrusion detection measures Some of the sites did not detect the compromise, which occurred months before the DDOS attacks The hackers who penetrated these sites had the ability to deliver a data integrity attack on the compromised business for the same amount of time Businesses were spared simply because the hackers chose not to attack them in that manner The recent NIMDA and Code Red worms succeeded in penetrating systems because sysadmins failed to installed vendor patches No customer will want to use a business that distributes sensitive customer data such as credit card information, SSN information or credit limits without the knowledge or permission of the customer Is this situation different from similar abuse in the phone or mail order business model? Not really but the major difference has to with the speed of access to and dissemination of the sensitive data User and system administrator awareness is becoming more important in the effort to counter e-commerce attacks Consumers are slowly becoming aware of some security features such as encrypted WEB transactions, privacy statements by companies, etc Internet service providers are becoming more responsive to complaints about Internet abuse originating from their sites E-commerce security needs to be addressed not only at the business site with its servers/network but also on the client side, which includes direct connected home computers It is this group of computers that are the most vulnerable to attack because the level of user security training or awareness is not high at all The Threats to E-Commerce The standard client server model has three components: the server system, the network and the client system In the past, server systems were typically mainframes running operating systems such as MVS, VM, VMS or Unix Window NT and Windows 2000 (W2K) are now making inroads into this arena The network component includes the internal business network, the path between the business and the customer through various ISPs and the customer’s internal network Client systems are usually PC or Macintosh systems running their respective Window 9x, NT, W2K or MacOs operating systems although Unix systems serve as client systems 2.1 E-commerce Security Components E-commerce security strategies deal with two issues: protecting the integrity of the business network and its internal systems; and with accomplishing transaction security between the customer and the business The main tool businesses use to protect their internal network is the firewall A firewall is a hardware and software system that allows only those external users with specific characteristics to access a protected network The original design was supposed to allow only specific services (e.g., email, web access) between the Internet and the internal network The firewall has now become the main point of defense in the business security architecture However, firewalls should a small part of the business security infrastructure There are hacker tools such as SMTPTunnel and ICMPTunnel that allow hackers to pass information through the allowed ports The “ILOVEYOU” virus successfully penetrated firewalled networks because inbound and outbound email is allowed to pass through the firewall The Code Red and NIMDA worms passed through firewalls because they accessed systems through the standard WEB server ports Transaction security is critical to bolstering consumer confidence in a particular e-commerce site Transaction security depends on the organization’s ability to ensure privacy, authenticity, integrity, availability and the blocking of unwanted intrusions Transaction privacy can be threatened by unauthorized network monitoring by software devices called sniffer programs These programs are most likely found at the endpoints of the network connection There are a number of defenses against this threat such as encryption and switched network topologies Transaction confidentiality requires the removal of any trace of the actual transaction data from intermediate sites Records of its passage are a different thing and are required to verify the transaction actually took place Intermediate nodes that handle the transaction data must not retain it except during the actual relaying of the data Encryption is the most common method of ensuring confidentiality Transaction integrity requires methods that prevent the transactions from being modified in any way while it is in transit to or from the customer Error checking codes are an example of such a method Encryption techniques such as secret-key, public-key and digital signatures are the most common method of ensuring transaction privacy, confidentiality and integrity The common weakness of these techniques is that they depend on the security of the endpoint systems to protect the keys from modification or misuse The following paragraphs will discuss the vulnerabilities of this clientserver model Early hacker attacks were directed at the server systems because that’s where the access or data lived As server system administrators became more experienced, it became harder for hackers to successfully penetrate the servers The hackers then shifted their focus to the network feeding into the server They were able to continue subverting the servers by intercepting the cleartext traffic flowing in and out the server Encrypting network traffic, converting the network to a switched topology and filtering unknown access were some of the countermeasures to this “sniffer” attack In response to this, the hackers simply shifted to the client side and this is where most network security architectures collapse Why? Looking at the OS architectures prevalent in the client side, we observe: an OS used in a server is also used on the client system or the PC/Macintosh OS is used on the client If the client OS is the same as the server, then the same server defense mechanisms can be used on the client system However, if the client OS architecture is based on Windows 9x or MacOs then there is no effective defense available These OS platforms have no built-in security designed into them and allow anyone with access to the system to be able to gain control of it These OS architectures will continue to be susceptible to virus and Trojan horse program attacks The two main threats to the e-commerce client-server model are viruses and Trojan horse programs Viruses are simply disruptive in nature but the Trojan horse programs are the more serious threat because they not only facilitate breaking into another system, they also permit data integrity attacks 2.2 Viruses Viruses are the most publicized threat to client systems They are effective because of the built-in insecurity of client systems (PC/Mac) Subverting a PC/Mac system requires access to the system and no special privilege is needed to write code or data into sensitive system areas This operating system design issue is evident in older versions of Windows 9x or MacOs 8.x Operating systems such as Windows NT, Windows 2000, while still vulnerable to this type of attack, have the capability of restricting who can activate the virus The more publicized viruses such as Melissa, ILOVEYOU, Resume, KAK and IROK have no effect on Unix systems Viruses need “system privilege” in order to be effective In general, the multiple privilege access schemes present in Unix, VMS and other multi-user operating systems prevents a “virus” from damaging the entire system It will only damage a specific user’s files 2.3 Trojan Horses The BackOrifice, Netbus, BO2K hacker tools allow a remote user to control, examine, monitor any information on the target PC What makes them especially beguiling is that they are also capable of using the target PC to send information to the net as if the legitimate user had done so There are commercial tools like CUCme, VNCviewer that perform the same function There are numerous hacker exploit web sites such as www.portwolf.com/trojans.htm, www.cultdeadcow.com, www.rootshell.com, http://thc.pimmel.com and www.insecure.org where anyone can download a copy of the abovementioned Trojan horse programs The good side of the Force allows system administrators to use these tools to remote manage large numbers of workstations This is the typical sysadmin support tool since there are many more machines than sysadmins However, the dark side of the Force allows a malicious user to install these tools for nefarious purposes such as forgery, data modification and eavesdropping 2.4 Which is the Bigger Threat to E-commerce? Viruses are a nuisance threat in the e-commerce world They only disrupt ecommerce operations and should be classified as a Denial of Service (DoS) tool The Trojan horse remote control programs and their commercial equivalents are the most serious threat to e-commerce Trojan horse programs allow data integrity and fraud attacks to originate from a seemingly valid client system and can be extremely difficult to resolve A hacker could initiate fraudulent orders from a victim system and the ecommerce server wouldn’t know the order was fake or real Password protection, encrypted client-server communication, public-private key encryption schemes are all negated by the simple fact that the Trojan horse program allows the hacker to see all cleartext before it gets encrypted Privacy Issues The abuse of consumer privacy is becoming a concern at the consumer, business and government level There will be resistance to participating in certain types of ecommerce transactions if the assurance of privacy is low or non-existent 3.1 Abusing Customer Privacy The government (Big Brother) isn't the biggest threat to privacy anymore Businesses are! US Bankcorp was sued for deceptive practices in 1999 The bank supplied a telemarketer, MemberWorks, with sensitive customer data such as name, phone #, bank account and credit card numbers, SSN, account balances and credit limits MemberWorks used these customer lists to sell dental plans, videogames, and services US Bankcorp settled out of court Well Fargo, Bank of America and other financial institutions announced they were discontinuing the practice after the US Bankcorp settlement was announced Many banks still deal with MemberWorks today Jane Bryant Quinn’s essay on Privacy Issues lists a couple of items of concern: No Federal law shields “transaction and experience” information Social Security Number information is periodically disclosed either intentionally or not Self-regulation by business doesn’t work Obviously, not all businesses are dens of information disclosure However, most businesses not treat the information security cycle as a high priority until an event happens They consider a firewall to be the best line of defense and pay not enough attention to securing the internal net 3.2 1984 or Lord of the Flies? Firms like the Internet advertising firm DoubleClick collect customer information and route it to other firms for use in creating customer profiles Doubleclick recently acquired a direct marketing company, Abacus, Inc., is an effort to link anonymous hits on Web sites with actual names and addresses of Web surfers The firm backed off this effort after the Federal Trade Commission launched an investigation In another example of a consumer privacy threat, grocery store chains offer discount cards to its customers Swipe the card through their reader and the customer gets discounts on food items This service allows the business to determine the buying habits of the customer and perhaps better stock the store with the items the customers buys frequently The store is free to sell this data to marketing firms without notifying the customer This Personal Service vs anonymity conundrum represents the major issue with E-commerce privacy If the majority of businesses are not considered to be secure, the confidentiality and integrity of the customer information is suspect This may be a bold statement to make about most business network security but the DDOS attacks, the results of the Internet Audit Project shown and the Top Ten Vulnerabilities list compiled by SANS demonstrated this lack of security at thousands of sites This lack of security is the biggest threat to consumer privacy from external sources Selling consumer data without the customer knowledge or permission is the major internal threat to consumer privacy Consumer information integrity is the clearly a problem if sites fail to secure the customer data at the server or the client It is just as easy to modify customer data, as it is to publish it This ability to instantly rewrite a consumer’s history with a particular business is quite possible and certainly easy to with the BO2K style Trojan horse programs installed on an unsuspecting client The US Federal Trade Commission is urging the US Congress to pass legislation to bolster online privacy because it has doubts about whether companies can or will self-regulate The FTC conducted a survey of 335 commercial Websites and 91 of the 100 most popular sites to determine their information gathering practices Almost all the sites in both groups collected email address information from visitors but only 88% of the 335 sites had posted privacy policies Twenty percent of these sites had policies “that reflect the fair information principles of notice, choice and access security” The FTC lists four types of privacy protection that it considers essential: A notice defining privacy policies A choice of how the user information collected by the site is used Access to that data by the individual Assurances that the data is secure The same FTC survey found that 42% of the most popular web sites and only 20% of the 335 sites offer consumers the above types of protection The same Computerworld article made the observation that “the FTC applied very easy grades to the Web sites it investigated… For instance, if a Web site offered any type of access, such as allowing consumers to update their email addresses, the survey scored the Web site as having access ‘And the majority of them still flunked’ ” A recent commentary by William Safire pointed out that e-commerce is “an industry busily compiling dossiers on every American.” These sites collect information about web browsers by using web “cookies” to track your movements around their web site One can certainly see the merits of this action; however, it’s not quite apparent why the organization is allowed to sell that data to other businesses Appendix shows some of the user data that can be gleaned from a simple access to a web site One of the authors visited www.anonymizer.com to generate the figure The information shown in the appendix is accurate Even more detail can be obtained from the www server logs One of the issues raised at www.glr.com is that a composite profile can be constructed about a user from seemingly disparate databases For example, one can look up a person at www.switchboard.com to get the address and phone number of an individual Accessing www.mapquest.com and entering the address from the previous query to get a map and driving directions to the person’s address could pose a threat to the individual’s privacy Access the person’s personal web page and you most likely can get a photograph of the individual This is an example of data residing in completely different and geographically separate sites being used to build a composite about a person The 10 are beginning to find their way into the published literature, and we expect that these studies will bring greater clarity and proficiency to admittedly murky areas 5/ E-commerce Security Tips : Over the past few years, ecommerce stores have become widespread Everyday we hear of some new ecommerce store launching Where this trend is creating easiness for users, it also increases the risk of internet theft.One ecommerce hack that occurs the most is credit card fraud So, as an ecommerce store developer, it’s your responsibility to stop the hackers in their paths This will allow people to shop online safely and without the fear of information theft.While, I have no doubt that you will have adequate knowledge about securing your ecommerce store, I still want to help So, here is a list of quick ecommerce security tips to strengthen your store’s security + Select an Appropriate Ecommerce Platform 80 Most ecommerce store owners prefer Magento, OpenCart, WooCommerce, or PrestaShop for ecommerce platforms It’s essential to select an appropriate one from them according to your requirements You need to keep in mind the key factors such as convenience, robust functionality, and ease of use I recommend Magento because of its powerful performance +Use HTTPS HTTPS is the most secure standard in website security these days The outdated HTTP protocol can lead to severe repercussions, so in an effort for overall security of the visitor’s data, many website owners have decided to use HTTPS on their site Earlier HTTPS protocol was only used on the payment pages To initiate the process of switching over to HTTPS, select an SSL Certification You can purchase it from your hosting company or an SSL merchant It’s an easy process, just follow these steps: Shift your site to HTTPS Set up 301 redirects Update all the internal links on your site 81 + Secure the Admin Panel A weak password is all that a hacker needs to manipulate your website But it can lead to a huge loss for your business To keep your website away from malicious hackers, secure your admin panel by following these simple steps: Change Admin Username: Default ‘username’ value for ecommerce websites is ‘admin.’ Change it to a unique, easy to remember value o For Magento, follow these steps: Navigate to the ‘System’ tab in the Admin panel Click on ‘My Account’ in the dropdown menu In the ‘My Account’ page, change the ‘Username’ value Click on Save Account o For OpenCart, follow these steps: Navigate to the folder containing the “admin” folder It is usually the “public_html” 82 Right click on the “admin” folder and choose the “rename” option from the dropdown Enter the new folder name for the “admin” folder Use a unique name which is hard to guess and completely unrelated to your business Now, edit the /admin/config.php and replace ALL instances of the word ‘admin’ with the new folder name you have chosen in the above step For detailed explanation on renaming the admin folder Use a secure password for all entry points of your website The password should be at least 8-12 characters long It should contain alphanumeric and special characters An easier way to generate a strong password is to use a tool like lastpass + Data Backup Data backups are integral for ecommerce security It is important that you perform scheduled backups on a regular basis So, if someone hacks your website, you can restore it to the previous version instantly It is important that you store the backups on a separate server so that they aren’t infected by the malware A good step is to use cPanel dashboard to create backups: +Follow these steps, to generate a full site backup in cPanel: Log into your website’s cPanel Navigate to the Files section, then click on the Backups icon 83 Under the Full Backup section, click on the Generate/ Download a Full Website Backup option In the next page, select the Home Directory option from the Backup Destination drop-down menu For setting your Email Address preferences, you can select whether you want to receive an email notification once the backup is complete or not You can also change the email for receiving the notification In the end, Click on Generate Backup Once complete, this will place the backup in your home directory, with the extension tar.gz +To download the backup from cPanel: Log into your website’s cPanel Navigate to the Files section, then click on the Backups icon Under the Full Backup section, click on the Generate/ Download a Full Website Backup option In the Backups Available for Download section, click the hyperlink for the particular backup file that you wish to download To complete the process, Select a destination folder on your system where you would like to download the backup 84 Another option is to choose a managed ecommerce hosting provider that automatically creates backups for you, like Cloudways + Avoid Storing Credit Card Details You should avoid storing customer credit card details on your server But if you have to, then get PCI Compliance certificate PCI compliance certification assures that the credit card data is safe on your website You will have to first pass the compliance assessment Points to follow: • The first step is to determine the Compliance Level • Do the self - assessment questionnaire • Attestation of Compliance • Submit the documents You can also handle the payments using a third party payment gateways such as stripe, PayPal These processors allow smooth payment processing and an enhanced ecommerce experience + Protection Against SQLi, XSS, Malware As a website owner, it’s very important that you protect your website against threats like Cross Site Scripting (XSS), SQL injections, Bad Bots If these vulnerabilities aren’t fixed they leave your website’s data at a risk of being exploited by hackers 85 You could either go through your store’s code and fix such vulnerabilities or use a security plug in, as mentioned in the next step + Use an Ecommerce Security Plugin Security plugins are a simple way to enforce security protection on your website They provide protection against Bad Bots, SQLi, XSS, Code Injections and hundreds of other severe attacks One of the most secure, easy to implement, feature rich security plugin is Astra It helps automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website + Ecommerce Security Best Practices I also advise you to go through your particular CMS’s security best practices documentation and follow all the steps mentioned there This will configure your particular CMS in a secure way according to the CMS’s guidelines Here’re some of the ecommerce security practices advised by Magento: Restrict access to any development, staging, or testing systems Use IP whitelisting and htaccess, htpasswd protection Install extensions only from trusted sources Always keep your Magento instance updated for the best security features Always use the correct file permissions Core Magento and directory files should be set to read only, including app/etc/local.xml files GUIDELINES FOR COMPANIES (Đỗ Đức Dũng) 86 It is not just consumers who are concerned about online security and privacy Companies which respect these issues, or at least recognize the financial gains in addressing these problems, are faced with a problem of how to gain consumer trust online As the relevant literature has shown, despite widespread concerns, there are not so many solutions to these problems Sometimes, the solutions are apparent (such as giving a choice to users of how their data may be used) but are in direct conflict with the company’s objectives (for instance, to gather information for marketing communications purposes) Nevertheless, analysis of the empirical data and industry studies has clearly demonstrated the importance of taking these issues in consideration when dealing with online commerce As perceived security and privacy might be the most significant factors in influencing e-trust, there are several steps a company might take in order to address these influencers A considerable amount of online fraud may be prevented by the users themselves, and consumers should take more responsibility for their online security and information privacy.76 This is the fact that the companies committed to online security and privacy can and should educate their users about Not only would it actually prevent online fraud but would also reduce user uncertainty about the company’s reputation and credibility while increasing trust as well In addition to the already mentioned techniques for establishing e-privacy and e-security, each company should include a privacy statement, which clearly states its security and privacy policies TRUSTe, whose seal demonstrates a company’s compliance with privacy best practices, recommends that a comprehensive privacy statement should include the aspects, such as: notice (the use of collected information) and choice (provide users with a choice or whether the information may be collected and used); access (provide users with access to their own information) 77 Internally, organizations should restrict employees’ access to sensitive data, unless it is absolutely necessary in doing their job As regards security, the content should include a description of how the registration process works; how the website uses cookies and contact information.78 Providing company’s contact information and photographs of the employees and physical premises79 will enhance the initial trust, especially with less known companies Being given the chance to visit or speak directly to employees will reduce the anxiety the users associate with the remote nature of the Internet Providing more information on products and services, following usability guidelines, should also greatly influence e-trust 80 The company should make sure that consumers understand that it will never send e-mails asking for personal financial information, and should also discourage them from opening links from an e-mail in order to prevent phishing-frauds When a company requires 87 user authentication, it should include more that the simple two-way process of user ID and password whenever possible If online fraud does occur, the company should deal with the matter as efficiently and quickly as possible to prevent further loss in terms of reputation damage 7)CONCLUSION The growth of Internet technologies has provided various business opportunities with a potential to benefit both companies and consumers However, e-commerce has not been as successful as expected, due to a number of problems that consumers encounter in the online environment Security and privacy, or more specifically lack thereof, are both rooted in the issue of trust These are the issues companies must address in their strategic plans and with their online presence Ecommerce is undoubtedly widespread in the world; therefore, the significance of studies on this topic is huge Moreover, as technology changing constantly, this subject is always highly topical and research should keep up with any changes as well This is particularly important for developing countries, where technology is more or less just being introduced Further research should focus on security of the systems operating in these countries, since the main objective of businesses operating in them should be to get people to use the Internet The importance of eprivacy must not be neglected; however, the trust in security is the first step in achieving a higher percentage of online users Even though all participants in ecommerce recognize that there is no full guarantee of online safety, companies are still in a position to increase trust among their online consumers and should so in order to achieve the full potential of e-commerce 88 _THE END _ References *Books and E-books [1] W Jeberson, Prof (Col.) Gurmit Singh "Analysis of Security Measures Implemented on G2C Online Payment Systems in India" MIT International Journal of Computer Science & Information Technology Vol No Jan 2011 [2] Pradnya B Rane, Dr B.B.Meshram "Transaction Security for Ecommerce Application" IJECSE -ISSN- 2277-1956 2012 [3] Shazia Yasin, Khalid Haseeb "Cryptography Based E-Commerce Security: A Review" IJCSI-Vol 9, Issue 2, No 1, March 2012 [4] Randy C Marchany, Joseph G Tront, "E-Commerce Security Issues"Proceedings of the 35th Hawaii International Conference on System Sciences – 2002 [5] Mohanad Halaweh, Christine Fidler - " Security Perception in Ecommerce: Conflict between Customer and Organizational Perspectives" Proceedings of the International Multiconference on Computer Science and Information Technology, pp 443 – 449, ISBN 978-83-60810-14-9- 2008-IEEE [6] Dr Nada M A Al-Slamy, "E-Commerce security" IJCSNS - VOL.8 No.5, May 2008 Wirtz, J., Lwin, M.O., Williams, J.D.: Causes and consequences of consumer online privacy concern, International Journal of Service Industry Management, Vol 18, No 4, 2007, pp 327 European Commission, Commission Staff Working Document: Report on crossborder e-commerce in the EU, 2009, Available on: http://ec.europa.eu/consumers/strategy/docs/com_staff_wp2009_en.pdf (2.6.2009.) Fraumeni, B.M.: E-Commerce: Measurement and Measurement Issues, The American Economic Review, Vol 91, No 2, 2001, pp 318 Kalakota, R., Robinson, M.: E-poslovanje 2.0, MATE, Zagreb, 2001, pp 89 Kolsaker, A., Payne, C.: Engendering trust in e-commerce: a study of genderbased concerns, Marketing Intelligence & Planning, Vol 20, No 4, 2002, pp 206214 Pennanen, K., Tiainen, T., Luomala, H.T.: A qualitative exploration of a consumer’s value-based e-trust building process: A framework development, Qualitative Market Research: An International Journal, Vol 110, No 1, 2007, pp 28 Arcand, M., Nantel, J., Arles-Dufour, M., Vincent, A.: The impact of reading a web site’s privacy statement on perceived control over privacy and perceived trust, Online Information Review, Vol 31, No 5, 2007, pp 136 Ramnath, K., Chellappa, P., Pavlou, A.: Perceived information security, financial liability and consumer trust in electronic commerce transactions, Logistics Information Management, Vol 15, No 5/6, 2002, pp 358 Flavián, C., Guinalíu, M.: Consumer trust, perceived security and privacy policy, Three basic elements of loyalty to a web site, Industrial Management & Data Systems, Vol 106, No 5, 2006, pp 603 10 Ibid 11 Durkan, P., Durkin, M., Gillen, J.: Exploring efforts to engender on-line trust, International Journal of Entrepreneurial Behaviour & Research, Vol No 3, 2003, pp 98 12 McRobb, S., Rogerson, S.: Are they really listening?: An investigation into published online privacy policies at the beginning of the third millennium, Information Technology & People, Vol 17, No 4, 2004, pp 443 13 Flavián, C., Guinalíu, M.: op cit., pp 612 14 Regnier, P., Sahadi, J.: Thwart the ID Thieves, Money, Vol 35, No 12, 2006, pp 124-125 15 Mohatar, O.D., Sierra Cámara, J.M.: New Directions in Online Fraud, AIP Conference Proceedings, Vol 963, No 2, 2007, pp 973 Milan Mandić Vol XXI (2009), br 2, str 247 - 260 TRŽIŠTE 258 16 Texas State Library and Archives Commission Web Site, 2009, Available on: http://www.tsl.state.tx.us/ld/pubs/ compsecurity/glossary.html (13.10.2009.) 17 Acohido, B.: Hackers barrage bank accounts, USA Today, 2009, [Online] Available on: http://www.usatoday com/money/industries/banking/2009-02-22bank-accounts-hackers_N.htm (29.5.2009.) 18 Mohatar, O.D., Sierra Cámara, J.M.: op cit., pp 974 90 19 Vuagnoux, M., Pasini, S.: Compromising Electromagnetic Emanations Of Wired And Wireless Keyboards, 2009 - Available on http://lasecwww.epfl.ch/keyboard/ (13.10.2009.) 20 Angriawan, A., Thakur, R.: A Parsimonious Model of the Antecedents and Consequence of Online Trust: An Uncertainty Perspective, Journal of Internet Commerce, Vol 7, No 1, 2008, pp 76 21 Durkan, P., Durkin, M., Gillen, J.: op cit., pp 93-110 22 Thakur, R., Summey, J.H.: E-trust: empirical insights into influential antecedents, Marketing Management Journal, Vol 17, No 2, 2007, pp 74 23 Kolsaker, A., Payne, C.: op cit., pp 208 24 Benamati, M., Serva, J.: Trust and distrust in online banking: Their role in developing countries, Information Technology for Development, Vol 13, No 2, 2007, pp 164 25 Arcand, M., Nantel, J., Arles-Dufour, M., Vincent, A.: op cit., pp 138 26 Angriawan, A., Thakur, R.: op cit., pp 74-94 27 Roca, J.C., Garcia, J.J., de la Vega, J.J.: The importance of perceived trust, security and privacy in online trading systems, Information Management & Computer Security, Vol 17, No 2, 2009, pp 96-113 28 Ribbink, D., van Riel, A.C.R., Liljander, V., Streukens, S.: Comfort your online customer: quality, trust and loyalty on the internet, Managing Service Quality, Vol 14, No 6, 2004, pp 446-456 29 Flavián, C., Guinalíu, M.: op cit., pp 601-620 30 Thakur, R., Summey, J.H.: op cit., pp 67-80.; Pennanen, K., Tiainen, T., Luomala, H.T.: op cit., pp 28-47 31 Flavián, C., Guinalíu, M.: op cit., pp 601-620 32 Martins, N.: A model for managing trust, International Journal of Manpower, Vol 23, No 8, 2002, pp 754- 769 33 Chen, Y., Barnes, S.: Initial trust and online buyer behaviour, Industrial Management & Data Systems, Vol 107, No 1, 2007, pp 21-36 34 Nielsen, J.: Trust or Bust: Communicating Trustworthiness in Web Design, 1999 - Available on: http://www.useit com/alertbox/990307.html (20.06.2009.) 35 Ribbink, D., van Riel, A.C.R., Liljander, V., Streukens, S.: op cit., pp 448 36 Shalhoub, Z.K.: Trust, privacy, and security in electronic business: the case of the GCC countries, Information Management & Computer Security, Vol 14, No 3, 2006, pp 270 37 Flavián, C., Guinalíu, M.: op cit., pp 601-620.; Chen, Y., Barnes, S.: op cit., pp 21-36 91 38 Jaikumar, V.: Security Concerns Cloud Online Shopping, Computerworld, Vol 39, No 49, 2005, pp 39 European Commission, Issues relating to Business and Consumer E-commerce, 2004 - cited in: Flavián, C., Guinalíu, M.: op cit., pp 605 40 Angriawan, A., Thakur, R.: op cit., pp 74-94 41 Pennanen, K., Tiainen, T., Luomala, H.T.: op cit., pp 28-47 42 Roca, J.C., Garcia, J.J., de la Vega, J.J.: op cit., pp 96-113 PRIVACY AND SECURITY IN E-COMMERCE Vol XXI (2009), br 2, str 247 - 260 TRŽIŠTE UDK: 658.8:004.738.5 259 43 Udo, G.: Privacy and security concerns as major barriers for e-commerce: a survey study, Information Management & Computer Security, Vol 9, No 4, 2001, pp 165-174 44 Thomas, L., Xiaodong, D.: Building online trust through privacy practices, International Journal of Information Security, Vol 6, No 5, 2007, pp 323-331 45 Udo, G.: op cit., pp 165-174 46 Hsu, C.J.: Privacy concerns, privacy practices and web site categories: Toward a situational paradigm, Online Information Review, Vol 30, No 5, 2006, pp 570 47 Angriawan, A., Thakur, R.: op cit., pp 79 48 Shalhoub, Z.K.: op cit., pp 271 49 Thomas, L., Xiaodong, D.: Building online trust through privacy practices, International Journal of Information Security, Vol 6, No 5, 2007, pp 323 50 Kolsaker, A., Payne, C.: op cit., pp 209 51 Ramnath, K., Chellappa, P., Pavlou, A.: op cit., pp 361 52 Hooper, T., Vos, M.: Establishing business integrity in an online environment: An examination of New Zealand web site privacy notices, Online Information Review, Vol 33, No 2, 2009, pp 355 53 Thomas, L., Xiaodong, D.: op cit., pp 323-331 54 Durkan, P., Durkin, M., Gillen, J.: op cit., pp 99 55 Kolsaker, A., Payne, C.: op cit., pp 208 56 TRUSTe, Online Privacy - A Tutorial for Parents and Teachers - Available on: http://www.truste.org/pdf/parent_teacher_tutorial.pdf (2.6.2009.) 57 Hsu, C.J.: op cit., pp 572 58 Thakur, R., Summey, J.H.: op cit., pp 76 59 Roca, J.C., Garcia, J.J., de la Vega, J.J.: op cit., pp 107 60 Flavián, C., Guinalíu, M.: op cit., pp 604 61 Ibid., pp 605 62 Shalhoub, Z.K.: op cit., pp 272 92 63 Ramnath, K., Chellappa, P., Pavlou, A.: op cit., pp 359 64 Flavián, C., Guinalíu, M.: op cit., pp 604 65 Arcand, M., Nantel, J., Arles-Dufour, M., Vincent, A.: op cit., pp 152 66 Ibid., pp 135 67 Ramnath, K., Chellappa, P., Pavlou, A.: op cit., pp 361 68 Smith, A.D.: Cybercriminal impacts on online business and consumer confidence, Online Information Review, Vol 28, No 3, 2004, pp 230 69 TRUSTe, op cit 70 Smith, A.D.: op cit., pp 230 71 Mohatar, O.D., Sierra Cámara, J.M.: op cit., pp 976 72 Roberts, P.F.: FFIEC report pans passwords, eWeek, Vol 22, No 42, 2005, pp 19 73 Mohatar, O.D., Sierra Cámara, J.M.: op cit., pp 976 74 Smith, A.D.: op cit., pp 231 75 Roberts, P.F.: op cit., pp 19 Milan Mandić Vol XXI (2009), br 2, str 247 260 TRŽIŠTE 260 76 Hsu, C.J.: op cit., pp 584 77 TRUSTe, op cit 78 Ibid 79 Durkan, P., Durkin, M., Gillen, J.: op cit., pp 106 80 Thakur, R., Summey, J.H.: op cit., pp 74 Leveson, Nancy G Safeware: System Safety and Computers A Guide to Preventing Accidents and Losses Caused by Technology Reading, MA: AddisonWesley, 1995 Schneier, Bruce Secrets and Lies: Digital Security in a Networked World New York, NY: John Wiley & Sons, 2000 Simson Garfinkel, Web Security, Privacy and Commerce, nd Edition, O’Reilly Media, 2002 Amoroso, Edward Fundamentals of Computer Security Technology Englewood Cliffs, NJ: Prentice Hall, 1994 Anderson, Ross Security Engineering New York, NY: Wiley & Sons, 2001 Pfleeger, Charles P Security in Computing, Second Edition Englewood Cliffs, NJ: Prentice Hall, 1996 93 Comer, Douglas E Internetworking with TCP/IP, Third Edition Englewood Cliffs, NJ: Prentice Hall, 1995 Bellovin, Steve, and Bill Cheswick Firewalls and Internet Security Reading, MA: Addison-Wesley, 1994 *Webs and e-pages: http://www.gocsi.com http://ipage.com/blog/why-web-security-is-important/ http://gotowebsecurity.com/different-types-cyber-attack-aware-off/? fbclid=IwAR2dBrD2IWRwABbJhxcCI46XjXqobHeYXdcvkMSuO7xS8HeeRm1TsiVHUA https://www.bartleby.com/essay/E-commerce-Security-and-PrivacyFKJV7PEYVC https://www.ukessays.com/essays/information-technology/online-payment-andsecurity-of-e-commerce-information-technology-essay.php https://digitalstrategy.ie/security-issues-in-e-commerce/ https://www.thebalancesmb.com/security-issues-in-ecommerce-1141591 https://www.cio.com/article/2384809/e-commerce/15-ways-to-protect-yourecommerce-site-from-hacking-and-fraud.html https://businformgt.wordpress.com/2016/12/16/security-threats-of-e-commerce-2/ https://www.techgenyz.com/2017/04/05/e-commerce-major-threats-e-commercesecurity/ https://www.section.io/blog/website-security-for-ecommerce-websites/ https://www.thebalancesmb.com/security-issues-in-ecommerce 94 ... The security of a site depends on the security of the internal systems and the security of external networks E- commerce sites need to tailor their security architecture to meet the demands of ensuring... the ecommerce and customer sites must be constantly reviewed and appropriate countermeasures devised These security measures must be implemented so that they not inhibit or dissuade the intended... the server, then the same server defense mechanisms can be used on the client system However, if the client OS architecture is based on Windows 9x or MacOs then there is no effective defense