The article discusses the protection of e-commerce systems, the main vulnerabilities, threats and protection methods.
- The essence of e-commerce and features of its development in Russia
- Modern Internet trading market (using the example of the automotive goods segment)
- Improving the formation of a capital repair fund in apartment buildings
- Regulatory and legal regulation of issues of assessing the quality of provided state (municipal) services in Russia
There are still more problems and questions in the Russian e-commerce sector than there are answers and ready-made schemes and solutions that work in practice. We can say that e-commerce in Russia is described and identified through its problematic nature, while in the West, in particular in the USA, the description is in the context of experience and achievements.
An electronic commerce system is a comprehensive information and settlement system based on information security technologies and certified organizational, software and technical solutions that ensure interaction between participants in electronic transactions at all stages of trade, procurement and other commercial activities.
Electronic commerce is trading through a network of computers of the buyer and seller of goods; the subject of electronic commerce can be a service, real estate, banking product, etc. E-commerce creates a new form of organization of trading enterprises - virtual stores - and constantly, under the influence of competition, offers new goods and services for sale in a virtual store.
The e-store is threatened by all internal and remote attacks inherent in any distributed computer system that interacts by transmitting data over open networks. Both participants in this business process are vulnerable to them and unprotected in terms of repelling attacks and tracking them.
In addition to information attacks and threats, there are many other vulnerabilities in e-commerce that are more related to organizational, legal and financial problems in the economic activities of the company as a whole. Therefore, to solve the problem of building a comprehensive protection system, a whole range of organizational, legislative, physical and technical measures is required.
The continuous development of network technologies in the absence of constant security analysis leads to the fact that over time, the security of the network decreases, and new unaccounted threats and system vulnerabilities appear. Adaptive network security allows you to provide protection in real time, adapting to constant changes in the information infrastructure. It consists of three main elements - security analysis technology, attack detection technology and risk management technology. Security analysis technologies are an effective method that allows you to analyze and implement network security policies. Security analysis systems search for vulnerabilities, increasing the number of checks and examining all its levels.
Any software has certain vulnerabilities that lead to attacks. Both e-Commerce system design vulnerabilities (for example, lack of security measures), and implementation and configuration vulnerabilities. The last two types of vulnerabilities are the most common and are found in any organization. All this can lead to the implementation of various types of attacks aimed at violating the confidentiality and integrity of the processed data. For example, a customer selects a product or service through the server of an electronic store and places an order - the page of the Web server of the electronic store can be replaced. The main implementation method is to redirect user requests to another server. It is especially dangerous if the client pays for the order on-line - interception of information about the customer’s credit card poses a particular danger.
At all stages of the operation of an e-commerce system, it is possible to penetrate into the company’s internal network and compromise the components of the electronic store. According to statistics, more than half of all computer incidents are related to our own employees, because they, like no one else, know all the work “from the inside.”
Each level of any information system requires its own protection.
The operating system (OS) level, responsible for maintaining the DBMS and application software.
Network level is the level responsible for the interaction of information system nodes.
These levels are especially important. It is very dangerous if an attacker obtained the user ID and password of a store database user, or intercepted them during transmission over the network, or picked them up using special programs. Security tools and mechanisms are needed that quickly and accurately detect and block network denial-of-service attacks and attacks on the operating system.
Currently, routers and firewalls are used at the network level, and built-in access control tools are used at the OS level.
The database management system (DBMS) layer is responsible for storing and processing information system data. The protection system must work effectively at all levels, otherwise an attacker will be able to find system vulnerabilities and carry out an attack on the resources of the electronic store. Security analysis tools and security scanners can help here: these tools can detect and eliminate many vulnerabilities on hundreds of nodes, incl. and remote over considerable distances.
The technology that ensures the security of electronic commerce is cryptography. Cryptography is the science of methods, algorithms, software and hardware for transforming information in order to hide its content, prevent modification or unauthorized use. Modern cryptographic algorithms, combined with powerful personal computers, make it possible to implement reliable methods of encryption, authentication and verification of information integrity.
Encrypting or encoding information to protect it from unauthorized reading is the main task of cryptography. Encryption ensures the confidentiality of information and is used in e-commerce to keep the content of a transmitted message secret.
Encryption is based on two concepts: algorithm and key. A cryptographic algorithm is a mathematical procedure by which plaintext is converted into ciphertext. The cryptographic algorithm itself is not secret and is known to all participants in the process; a certain parameter of the algorithm, called the key, is secret.
The authentication problem can be solved by public key cryptography - asymmetric encryption. In this case, key pairs are used: public and private. The public one is distributed among all correspondents, the personal one is known only to the owner. Messages encrypted with any of the keys can only be decrypted with another key from the same pair.
Almost all encryption systems are based on two cryptographic algorithms: DES (Data Encryption Standard), developed by IBM back in the early 70s of the last century, and which is the world standard for private key encryption and RSA (named after the names of the authors - Rivest, Shamur, Adleman, introduced in the late 70s, has become a standard for public key encryption, especially popular in banking technology.
An electronic digital signature is a set of characters generated by means of an electronic digital signature and which is an integral part of an electronic document. Thus, an electronic signature is an analogue of a handwritten signature of an individual, presented as a sequence of characters obtained as a result of cryptographic transformation of electronic data using the private key of the digital signature, allowing the user of the public key to establish the integrity and immutability of this information, as well as the owner of the private key of the digital signature.
There is no doubt that e-commerce has a future in Russia. Moreover, modern business simply has no future without active use of the Internet.
References
- Gorshkov, V., Solovyov, A. Electronic commerce and national security. Information protection [Text] / V. Gorshkov, A. Solovyov // Confident No. 6.- 2003.
- Zubairova L.A., Sharafutdinov A.G. Protection of information and information systems [Text] / L. A. Zubairova, A. G. - 2016. - T. 1. No. 46. P. 12-15.
- Muratova, V.L., Sharafutdinov, A.G. Information security in the economic sphere. [Text] / V. L. Muratova, A. G. Sharafutdinov // Economy and society. - 2015.- No. 6-1(19). pp. 916-918.
- Sharafutdinov, A.G. Information technologies as a routine part of the functioning of modern companies // Information technologies in the life of modern man. Materials of the IV international scientific and practical conference. Responsible editor: Zaraisky A. A., - 2014. - P. 90-92.
The customer selects a product or service through the electronic store server and places an order.
The order is entered into the store's order database. The availability of a product or service is checked through a central database. If the product is not available, the customer receives a notification about this. Depending on the type of store, a request for a product may be redirected to another warehouse. If the product or service is available, the customer confirms payment and the order is placed in the database. The online store sends an order confirmation to the customer. In most cases, there is a single database for ordering and checking product availability. The client pays for the order online. The goods are delivered to the customer.
Let's consider the main threats that await the company at all stages. Substitution of the web server page of an electronic store. The main implementation method is to redirect user requests to another server. This is done by replacing entries in DNS server tables or router tables. This is especially dangerous when the customer enters their credit card number. Creation of false orders and fraud by employees of the electronic store. Penetrating into the database and changing order processing procedures allows for illegal manipulation of the database. According to statistics, more than half of all computer incidents involve our own employees. Interception of data transmitted in an e-commerce system. A particular danger is the interception of customer credit card information. Penetration into the company's internal network and compromise of electronic store components. Implementation of denial of service attacks and disruption or disabling of an e-commerce node.
As a result of all these threats, the company loses customer trust and loses money from bad transactions. In some cases, this company can be sued for disclosing credit card numbers. In the event of denial of service attacks, time and material resources are spent on replacing equipment to restore functionality. Data interception does not depend on the software and hardware used. This is due to the insecurity of the IP protocol version (v4). The solution to the problem is to use cryptographic means or switch to the sixth version of the IP protocol. Both cases have their problems. In the first case, the use of cryptography must be licensed by the relevant department. In the second case, organizational problems arise. There are still several possible threats. Violation of the availability of e-commerce nodes and incorrect configuration of the software and hardware of the electronic store.
2. Protection methods.
All this speaks to the need for comprehensive protection. In reality, protection is often limited to the use of cryptography (40-bit version of the SSL protocol) to protect information between the client's browser and the e-commerce server and filter on the router.A comprehensive security system should be built taking into account the four levels of any information system. The application software (software) layer responsible for user interaction. Examples of elements of this level are the WinWord text editor, Excel spreadsheet editor, Outlook email program, and Internet Explorer browser.
The level of the database management system (DBMS), responsible for storing and processing information system data. Examples of elements of this level are Oracle DBMS, MS SQL Server, Sybase and MS Access. The operating system (OS) level, responsible for maintaining the DBMS and application software. Examples - OS M S Windows NT, Sun Solaris, Novell Netware. The network level responsible for the interaction of information system nodes. Examples are TCP/IP, IPS/SPX and SMB/NetBIOS protocols.
The protection system must work effectively at all levels. Otherwise, an attacker will be able to carry out an attack on the resources of the electronic store. Both external and internal attacks are dangerous. According to statistics, the main danger comes from internal users of the electronic store (system operators). To gain unauthorized access to information about orders in the database, there are the following options. Read database records from MS Query, which allows you to access records from many DBMSs using the ODBC mechanism or SQL queries. Read the necessary data using the DBMS itself (DBMS level). Read database files directly at the operating system level. Send packets over the network with generated requests to obtain the necessary data from the DBMS. Or intercept this data during its transmission over communication channels (network level).
Typically the focus is on the bottom two layers - the network and operating system layers. At the network level, routers and firewalls are used. At the OS level - built-in access control tools. This is not enough. Let's imagine that an attacker obtained the user ID and password of a store database user. Either he intercepted them during transmission over the network or picked them up using special programs. Both the firewall and the operating system allow the attacker to access all resources due to the presented ID and password of the authorized user. This is a feature of the functioning of the screen and the system.
New means and mechanisms of protection are needed. Intrusion detection tools are currently receiving a lot of attention around the world. According to forecasts of well-known companies, sales of these products will reach $900 million in 2003. These tools operate with equal efficiency inside the network and outside, protecting against external unauthorized influences.
These tools allow you to promptly detect and block network attacks such as “denial of service” aimed at disrupting the operation of an electronic store. One example of attack detection tools is the RealSecure system developed by Internet Security Systems, Inc.
Any software has certain vulnerabilities that lead to attacks. Both eCommerce system design vulnerabilities (for example, lack of security features), and implementation and configuration vulnerabilities. The last two types of vulnerabilities are the most common and are found in any organization. Let's list a few examples. Buffer overflow error in Microsoft and Netscape browsers, error in the implementation of the IMAP daemon and the sendmail mail program, use of empty passwords and passwords of less than 6 characters, running but not used services, for example, Telnet. All this can lead to the implementation of various types of attacks aimed at violating the confidentiality and integrity of the processed data.
It is necessary to promptly detect and eliminate information system vulnerabilities at all levels. Security analysis tools and security scanners will help. These tools can detect and eliminate many vulnerabilities on hundreds of nodes, incl. and remote over considerable distances. Internet Security Systems is also leading the way in this area with its SAFEsuite family. The system includes functions for searching for vulnerabilities that work at all four levels - Internet Scanner, System Scanner and Database Scanner. The combined use of different security measures at all levels will allow you to build a reliable eCommerce information security system. Such a system is useful for both users and employees of the service provider company.
It will reduce possible damage from attacks on the components and resources of the electronic store.
It is recommended to use additional protective equipment. Such tools can be either freely distributed or commercial products. Which of these means is better must be decided in each specific case in its own way. If there is not enough money to purchase protective equipment, you have to pay attention to free funds. However, the use of such tools is associated with poor quality protection and lack of technical support. Among the commercial Russian products that implement a large number of protective functions, one can name the systems of the SecretNet family, developed by the Informzashchita enterprise. In general, it is impossible to solve the problem of building a comprehensive protection system using purely technical means. A set of organizational, legislative, physical and technical measures is required.
Often organizations use piecemeal approaches to solve security problems. These approaches are based on their perception of security risks. Security administrators tend to respond only to risks that they understand. In reality, there may be more such risks. Administrators understand the possible misuse of system resources and external attacks, but often have little knowledge of the true vulnerabilities in networks. The constant development of information technology raises a number of new problems. An effective security system requires well-trained personnel to perform the functions. Adheres to a standardized approach to security, implements procedures and technical means of protection, and constantly monitors audit subsystems that provide analysis of potential attacks.
The continuous development of network technologies in the absence of constant security analysis leads to the fact that network security decreases over time. New unaccounted threats and system vulnerabilities appear. There is a concept - adaptive network security. It allows you to provide protection in real time, adapting to constant changes in the information infrastructure. It consists of three main elements - security analysis technology, attack detection technology, and risk management technology. Security analysis technologies are an effective method that allows you to analyze and implement network security policies. Security analysis systems search for vulnerabilities, but increasing the number of checks and examining all its levels. Attack detection is the assessment of suspicious activities that occur on a corporate network. Attack detection is implemented by analyzing operating system and application software logs and network traffic in real time. Intrusion detection components located on nodes or network segments evaluate various actions.
As a particular and most common case of using detection systems, we can cite the situation with the uncontrolled use of modems. Security analysis systems can detect such modems, and attack detection systems can identify and prevent unauthorized actions carried out through them. Similar to security analysis tools, attack detection tools also function at all levels of the corporate network. An example is also the developments of ISS, a leader in the field of attack detection and security analysis.
3. Encryption and digital signature.
Using an encryption procedure, the sender of a message converts it from a simple message into a set of characters that cannot be read without using a special key known to the recipient. The recipient of the message, using the key, converts the set of characters sent to him back into text. Usually the encryption algorithms are known and are not secret. The confidentiality of the transmission and storage of encrypted information is ensured by the confidentiality of the key. The degree of security depends on the encryption algorithm and the length of the key, measured in bits. The longer the key, the better the security, but the more calculations must be done to encrypt and decrypt the data. The main types of encryption algorithms are symmetric and asymmetric. Symmetric encryption methods are convenient because to ensure a high level of data transmission security, it is not necessary to create long keys. This allows you to quickly encrypt and decrypt large amounts of information. At the same time, both the sender and the recipient of the information own the same key, which makes authentication of the sender impossible. In addition, to start working using a symmetric algorithm, the parties need to securely exchange a secret key, which is easy to do in person, but very difficult if it is necessary to transfer the key through any means of communication. The operation scheme using a symmetric encryption algorithm consists of the following stages. The parties install software on their computers that provides encryption and decryption of data and the primary generation of secret keys.A secret key is generated and distributed between participants in the information exchange. Sometimes a list of one-time keys is generated. In this case, a unique key is used for each information transfer session. In this case, at the beginning of each session, the sender notifies the recipient about the serial number of the key that he used in this message. The sender encrypts the information using installed software that implements a symmetric encryption algorithm; the encrypted information is transmitted to the recipient via communication channels. The recipient decrypts the information using the same key as the sender. Here is an overview of some symmetric encryption algorithms.
DES (Data Encryption Standard). Developed by IBM and widely used since 1977. Currently somewhat outdated, since the key length used in it is not sufficient to ensure resistance to attack by exhaustive search of all possible key values.
Triple DES. This is an advanced version of DES that uses the DES algorithm for encryption three times with different keys. It is significantly more resistant to hacking than DES. Rijndael. The algorithm was developed in Belgium. Works with keys of length 128, 192 and 256 bits. At the moment, cryptography experts have no complaints about it. Skipjack. The algorithm was created and used by the US National Security Agency. The key length is 80 bits. Encryption and decryption of information is performed cyclically (32 cycles). IDEA. The algorithm is patented in the USA and a number of European countries. The patent holder is Ascom-Tech. The algorithm uses cyclic processing of information (8 cycles) by applying a number of mathematical operations to it. RC4. The algorithm is specially designed for quickly encrypting large volumes of information. It uses a key of variable length (depending on the required level of information security) and works much faster than other algorithms. RC4 refers to the so-called stream ciphers.
An electronic digital signature (EDS) is the electronic equivalent of a handwritten signature. The digital signature serves not only to authenticate the sender of the message, but also to verify its integrity. When using digital signatures, public and private keys are used to authenticate the sender of a message. The procedure is similar to that of asymmetric encryption, but in this case the private key is used for encryption, and the public key is used for decryption.
The algorithm for using digital signature consists of a number of operations. A pair of keys is generated - public and private. The public key is transferred to the interested party (the recipient of documents signed by the party that generated the keys). The sender of the message encrypts it with his private key and transmits it to the recipient via communication channels. The recipient decrypts the message with the sender's public key.
Based on materials from the domestic press.
Security is a state of protection from possible damage, the ability to contain or parry dangerous influences, as well as to quickly compensate for the damage caused. Security means maintaining the system's stability, sustainability and the possibility of self-development. One of the most popular topics of discussion is e-commerce security.
But so far, despite all the valuable opinions and statements, there is no practical, “earthly” guide to what exactly is the subject of e-commerce security. This article provides some perspectives on this issue and attempts to separate myths from reality. Let's try to answer some basic questions that are obvious to specialists.
Systems can be made secure. Systems can only be protected against known threats, reducing the associated risks to an acceptable level. Only you can determine the right balance between the desired level of risk reduction and the cost of the solution. Security in general is one of the aspects of risk management. And information security is a combination of common sense, business risk management and basic technical skills under the guidance of decent management, the wise use of specialized products, capabilities and expertise, and the right development technologies. At the same time, a website is just a means of delivering information to the consumer.
Website security is a purely technical issue. Too often, security is more a matter of appropriate control of the development process, proper operating system configuration management, and overall consistent site management. True security is under your direct control - what is acceptable when developing internal systems may not be appropriate for services that are fully shared. Problems in systems that affect only a few trusted employees within the enterprise become apparent when they move into shared environments.
The media regularly reports on all security vulnerabilities and risks. Often the media reports only those problems that can attract general attention and do not require special skills to understand the problem underlying them. Such messages rarely reflect real security threats to the business and are often not related to security at all.
Credit card information on the Internet is not secure. In fact, credit card information is much less susceptible to theft when transmitted over the Internet than in a nearby store or restaurant. An unscrupulous business may be interested in the unauthorized use of such information, and how you work with it - via the Internet or not - is no longer so important. You can increase the security of the information being transmitted by using secure transmission channels and reliable sites. An essential component of many e-commerce systems is the need for reliable consumer identification. The method of identification directly affects not only the degree of risk, but even the type of criminal prosecution.
Passwords identify people. Passwords provide only basic verification - that someone authorized to use a particular system is connecting. People tend not to hide their passwords too much from others - especially from close relatives and colleagues. More sophisticated authentication technology can be much more cost-effective. The level of authentication used should reflect the risk of access to information by unauthorized persons, regardless of the consent of its actual owner.
Once configured and installed, a security solution remains reliable over time. Businesses don't always install systems as expected; business changes and so do threats. You need to ensure that systems maintain security profiles and that your profile is continually re-evaluated from a business and external environment perspective. Technology is equally important, but must be seen as part of a wider range of security controls. Firewalls are commonly cited as a solution to protect the content of e-commerce sites, but even they have their weaknesses.
Firewalls are impenetrable. Once you implement a firewall, you can rest on your laurels, confident that attackers will never get past it. The problem is that they need to be configured so that some traffic still flows through them, and in both directions. You need to think carefully about what you are trying to protect. Preventing an attack on your site's home page is very different from preventing your web server from being used as a path to your backend systems, and the firewall requirements are very different in both cases. Many systems require complex, multi-layered security to ensure that only authorized users have access to more sensitive data. As a rule, email plays a key role on any e-commerce site. However, it does bring with it a number of security issues that cannot be ignored. These issues fall into two main categories:
Protecting email content - it may be tampered with or read.
Protecting your system from attacks via incoming email.
If you plan to work with confidential or integrity-sensitive email information, there are many products available to protect it.
Viruses are no longer a problem. Viruses still pose a serious threat. The latest hobby of virus creators is files attached to letters, which, when opened, execute a macro that performs actions not authorized by the recipient. But other means of spreading viruses are also being developed - for example, through HTML web pages. You need to ensure that your antivirus products remain up to date. If they were designed to scan for viruses, they may only be able to detect viruses, not eliminate them.
A company that has a public key certificate from a reputable Certification Authority (CA) is itself trustworthy. The certificate simply means something like: "At the time of requesting the certificate, I, the CA, have performed known steps to verify the identity of this company. You may or may not be satisfied with this. I am not familiar with this company and do not know whether it can be trusted." and even what exactly her business is. Until I am notified that the public key is discredited, I will not even know that it, for example, was stolen or transferred to someone else, and it is up to you to check, not whether it is revoked. My liability is limited to the provisions of my company's Policy Statement, which you should read before using keys associated with this company."
Digital signatures are the electronic equivalent of handwritten ones. There are some similarities, but there are many very significant differences, so it is unreasonable to consider these two types of signatures to be equivalent. Their reliability also depends on how strictly it is established that the private key is truly in individual use. Key differences are also that:
- Handwritten signatures are entirely under the control of the signer, while digital signatures are created using a computer and software that may or may not work in a way that can be trusted to do what they do.
- Handwritten signatures, unlike digital ones, have an original that can be copied.
- Handwritten signatures are not too closely related to what is being signed; the contents of the signed papers can be changed after signing. Digital signatures are intricately linked to the specific content of the data they sign.
- The ability to perform a handwritten signature cannot be stolen, unlike a private key.
- Handwritten signatures can be copied with varying degrees of similarity, and copies of digital signatures can only be created by using stolen keys and are 100% identical to the signature of the real key owner.
- Some authentication protocols require data to be digitally signed on your behalf, and you will never know what was signed. You can be forced to digitally sign almost anything.
Security products can be rated based on their functionality, just like business suites. They also require an assessment of the security of their implementation and the threats against which they cannot protect (which may not be documented). In general, business applications are selected based on their functionality and ease of use. It is often taken for granted that functions perform as expected (for example, a tax preparation package calculates taxes correctly). But this is not fair for safety products. The biggest question here is how the security features are implemented in them. For example, a package might offer strong password authentication for users, but store passwords in a simple text file that can be read by almost anyone. And this would not be at all obvious and could create a false sense of security.
Security products are easy to install. Most products come with default settings. However, organizations have different security policies and configurations across all systems and workstations rarely match each other. In practice, the installation should be tailored to the organization's security policy and each specific platform configuration. Validating the mechanisms to serve a rapidly growing number of users and other attributes of creating a secure environment for hundreds of existing users can be a very complex and time-consuming process.
PKI products protect e-commerce without additional configuration. PKI products provide basic tools that help implement security solutions, but only as part of an overall package that also includes legal, procedural, and other technical elements. In practice, this is often much more complex and expensive than setting up a basic PKI.
Security consultants are absolutely trustworthy. Remember that security consultants will have access to all of your most sensitive processes and data. If the consultants being hired do not work for a reputable firm, it is necessary to obtain information from a disinterested source about their competence and experience - for example, talk to their previous clients. There are a lot of consultants who claim to be information security professionals, but in reality have little to no idea what it is. They may even create a false sense of security, convincing you that your systems are more secure than they really are.
Conclusions.
So, before you leaf through the latest security brochures, get the basics straight:
- Carefully calculate the types of risks that threaten your e-commerce business and what they would cost you, and do not spend more on protection than this estimated cost of risk.
- Maintain a balance between procedural and technical security controls.
- Develop a complete project in which security would be one of the fundamental components, and would not be introduced after the fact, after some thought.
- Select security products appropriate for this project.
Introduction………………………………………………………………………..…3
1.Electronic commerce and the history of its development……………………….............. ..5
1.1. History of e-commerce……………………………………………………...6
2. E-commerce security………………………………………..8
2.1. Risks and threats……………………………………………………….…… ...11
Conclusion…………………………………………………………………….17
List of references……………………………………………………………... 20
Introduction
The global Internet has made e-commerce accessible to companies of any size. If earlier the organization of electronic data exchange required significant investments in the communication infrastructure and was only feasible for large companies, then the use of the Internet today allows small firms to join the ranks of “electronic traders”. An electronic storefront on the World Wide Web gives any company the opportunity to attract customers from all over the world. Such an on-line business forms a new sales channel - “virtual”, which requires almost no material investments. If information, services or products (for example, software) can be delivered via the Web, then the entire sales process (including payment) can take place online.
The definition of e-commerce includes not only Internet-oriented systems, but also “electronic stores” that use other communication environments - BBS, VAN, etc. At the same time, sales procedures initiated by information from the WWW, but using fax, telephone, etc. for data exchange, can only be partially classified as e-commerce. We also note that, despite the fact that the WWW is the technological basis of e-commerce, a number of systems also use other communication capabilities. Thus, requests to the seller to clarify product parameters or to place an order can also be sent via email.
Today, the dominant means of payment for online purchases are credit cards. However, new payment instruments are also entering the scene: smart cards, digital cash, micropayments and electronic checks.
E-commerce includes not only on-line transactions. The area covered by this concept must also include such activities as conducting marketing research, identifying opportunities and partners, maintaining relationships with suppliers and consumers, organizing document flow, etc. Thus, e-commerce is a complex concept and includes electronic exchange data as one of the components.
- E-commerce and the history of its development
Unlike traditional commerce, e-commerce provides the following opportunities to companies:
A) Sell your products via the Internet;
B) Develop and coordinate relationships with consumers and suppliers;
B) Exchange goods and services electronically;
D) Reduce the price of delivery of digital products and after-sales customer support;
D) Respond quickly to market changes;
E) Reduce overhead costs;
G) Improve customer service and introduce your own services for customers;
H) Expand the circle of consumers;
I) Take into account the individual needs of the buyer;
E-commerce allows buyers to:
A) Buy goods at any time and anywhere;
B) Conduct a comparative analysis of prices and choose the best;
C) Get simultaneous access to a wide range of products;
D) Choose convenient mechanisms for making purchases;
D) Receive information and news depending on your preferences.
1.1 History of e-commerce
The first e-commerce systems appeared in the 1960s in the USA. They were used in transport companies to exchange data between various services when preparing flights and for booking tickets.
Initially, such commerce was conducted using networks outside the Internet, using special standards for electronic data exchange between organizations.
By the late 1960s, there were four industry standards in the United States for data exchange among various transportation companies. To combine these standards, a special Transport Data Harmonization Committee was created in 1968. the results of the work formed the basis of the new EDI standard.
In the 1970s, similar events occurred in England. In this country, the main area of application of EDI was not transport, but trade. The set of Tradacoms specifications selected here has been adopted by the United Nations Economic Commission for Europe as a standard for data exchange in international trade organizations.
In the 1980s, work began to combine European and American standards. As a result of this work, the 42nd session of the Working Party on International Trade Facilitation in September 1996 adopted Recommendation No. 25, “Use of the United Nations Standard for Electronic Data Interchange in Administration, Commerce and Transport.”
Thus. In the early 1990s, the EDI-FACT standard emerged and was adopted by ISO (ISO 9735).
But the final merger of American and European standards did not happen. A new, more promising opportunity has emerged for electronic data exchange – data exchange via the Internet.
The development of the Internet with its low cost of data transmission has made modernization of EDI systems urgent. As a result, in the mid-1990s, another standard was developed - EDIFACT over Internet (EDIINT), which describes how to transmit an EDI transaction using the SMTP/S-MIME secure email protocols.
For the emergence and growth of popularity of e-commerce, there are a number of demographic and technological prerequisites, such as:
a) widespread access to information technology, in particular computers and the Internet;
b) increasing the level of education of society and, consequently, more free handling of technology;
c) technological progress and the digital revolution have made it possible for many digital devices to interact with each other, such as a computer, mobile phone, etc.;
d) globalization, open economy, competition on a global scale;
e) accessibility of e-commerce to anyone, at any time, and in any place.
f) desire to save time;
g) growth in the range of goods and services, increasing demand for special goods and services.
- Security of electronic commerce.
The reasons for disruption of the normal functioning of a company on the Internet can be: computer viruses, fraud leading to financial losses; theft of confidential information; illegal interference in files with confidential information about consumers, etc.
The degree of protection of an electronic company's website depends on the level of confidentiality of its information and the need for its compliance. So, for example, if credit card numbers are entered on a website, then it is necessary to ensure the highest degree of protection for the web server.
The tasks of maintaining security in e-commerce come down to user authentication, maintaining confidentiality and integrity of information: authentication - checking the authenticity of the user; confidentiality – ensuring the preservation of private information provided by the user; integrity of information – absence of distortions in the transmitted information.
Hackers and viruses can pose a threat to the integrity of information on a web server.
A hacker penetrates weakly protected computers and servers and installs special programs - invisible ones, which are quite difficult to detect. Typically, such an invisible program does not harm the website, but creates great congestion on the network. The hacker determines the target of his attack and activates a pre-installed program, sending a command over the Internet to several computers. This begins an attack that overloads a commercial enterprise's network.
Another serious type of security breach of computers and servers on the Internet is a virus. Viruses violate the integrity of the system and mislead information security measures. The best means of protecting against viruses is to install and periodically update anti-virus programs, as well as use firewalls. A firewall is a filter installed between a corporate network and the Internet to protect information and files from unauthorized access and to allow access only to authorized persons. Thus, the firewall prevents computer viruses and hackers from entering the enterprise network and protects it from external influence when connected to the Internet.
When implementing e-commerce, one of the most important issues is information confidentiality. Information provided by the user to the company must be reliably protected. One of the ways to ensure secure and confidential data transmission over computer networks is cryptography, i.e. encrypting or encoding data so that only the parties involved in a particular transaction can read it.
When encrypting, the sender of a message converts the text into a set of characters that cannot be read without using a special key known to the recipient. The key to the cipher is a sequence of characters stored on a computer's hard drive or floppy disk. The degree of information security depends on the encryption algorithm and the key length, measured in bits.
There are two types of encryption algorithms:
- symmetric, in which the same key, known to both parties, is used for both encryption and decryption of information;
asymmetric, in which two keys are used, one for encryption and the other for decryption. One of these keys is private (secret), the second is open (public).
The process of applying an electronic digital signature is as follows:
1. the sender creates a message and encrypts it with his private key, which at the same time is the electronic digital signature of the sender. In this case, both the text of the communication itself and the digital signature attached at the end of the document are encrypted.
2. the sender transmits the encrypted letter and his public key via communication channels to the recipient;
3. The recipient decrypts the message using the sender's public key.
4. Together with the digital signature, one of the existing Hash functions is usually used. The HASH function produces a string of characters, called a message summary, while processing the message. The sender creates a summary of the message, encrypts it and also forwards it to the recipient. The recipient processes the message with the same HASH function and also receives a summary of the message. If both message summaries match, then the message was received without corruption.
5. Digital certificates are used to confirm the ownership of a public key to a specific person or commercial enterprise. A digital certificate is a document issued by a certification authority to confirm the identity of a specific person or enterprise by verifying its name and public key. To obtain a digital certificate, you must contact the certification center and provide the necessary information. Each certificate authority sets its own prices and, as a rule, issues a digital certificate for a year with the possibility of renewal after payment for the next year.
To address security issues, e-commerce companies use SSL and SET technology.
The SSL protocol is the main protocol used to protect data transmitted over the Internet. This protocol is based on a combination of asymmetric and symmetric encryption algorithms. It provides three main functions: server authentication, client authentication, and SSL encrypted connection.
The SET protocol is a protocol used for transactions between commercial banks and credit card customers.
- Risks and threats
Burglars.
Inability to attract companions.
Equipment failures.
Power, communication lines or network failures.
Dependence on delivery services.
Intense competition.
Software errors.
Changes in policy and taxation.
Limited system capacity.
Burglars
The most popular threat to e-commerce comes from computer hackers. Any enterprise is subject to the threat of attack by criminals, and large e-commerce enterprises attract the attention of computer hackers of various skill levels.
The reasons for this attention are varied. In some cases it is simply a “pure sporting interest”, in others a desire to do harm, steal money or purchase a product or service for free.
Site security is ensured by a combination of the following measures:
Back up important information.
Personnel policy that allows you to attract only conscientious people to work and encourage conscientiousness of staff. The most dangerous hacking attempts come from within the company.
Using software with data protection capabilities and updating it in a timely manner.
Training personnel to identify targets and recognize system weaknesses.
Auditing and logging to detect successful and unsuccessful hacking attempts.
Typically, hacking is successful due to easy-to-guess passwords, common configuration errors, and failure to update software versions in a timely manner. To protect yourself from a not-so-sophisticated burglar, it is enough to take relatively simple measures. As a last resort, there should always be a backup copy of critical data.
Inability to attract companions
While hacker attacks are the biggest concern, most e-commerce failures still stem from traditional economic factors. Creating and marketing a large e-commerce site requires a lot of money. Companies prefer short-term investments, offering immediate growth in customers and revenue once the brand is established in the market.
The collapse of e-commerce led to the ruin of many companies that specialized only in it.
Equipment failures
It is quite obvious that the failure of an important part of one of the computers of a company whose activities are focused on the Internet can cause significant damage to it.
Protection against downtime for sites that operate under high load or perform important functions is provided by duplication, so that the failure of any component does not affect the functionality of the entire system. However, here too it is necessary to evaluate the losses from possible downtime in comparison with the costs of purchasing additional equipment.
Lots of computers running Apache, PHP and MySQL are relatively easy to set up. In addition, MySQL's replication engine allows for general synchronization of information across databases. However, a large number of computers also means high costs for maintaining equipment, network infrastructure and hosting.
Power, communication lines, network and delivery service failures
Internet dependence means dependence on many interconnected service providers, so if the connection with the rest of the world suddenly breaks down, there is nothing left to do but wait for it to be restored. The same applies to power outages and strikes or other power outages and strikes or other disruptions to the delivery company.
If you have a sufficient budget, you can deal with several service providers. This entails additional costs, but ensures uninterrupted operation in the event of failure of one of them. Extreme power outages can be protected by installing uninterruptible power supplies.
Intense competition
If you open a kiosk on the street, assessing the competitive environment is not particularly difficult - competitors will be everyone who sells the same product within sight. In the case of e-commerce, the situation is somewhat more complicated.
Depending on shipping costs, currency fluctuations and differences in labor costs, competitors may be located anywhere. The Internet is a highly competitive and rapidly developing environment. In popular business sectors, new competitors emerge almost daily.
Competition risk is difficult to assess. Here the most correct strategy is to support the current level of technology.
Software errors
When a business depends on software, it is vulnerable to bugs in that software.
The likelihood of critical failures can be minimized by installing reliable software, testing after each replacement of faulty hardware, and employing formal testing procedures. It is very important to accompany any innovations to the system with thorough testing.
To reduce the damage caused by software failures, you should promptly back up all data. When making any changes, you must save the previous program configurations. To quickly detect possible malfunctions, constant monitoring of the system is required.
Changes in tax policy
In many countries, e-business activities are not defined or not sufficiently defined by law. However, this situation cannot persist forever, and the settlement of the issue will lead to a number of problems that could lead to the closure of some enterprises. In addition, there is always the danger of higher taxes.
These problems cannot be avoided. In this situation, the only reasonable course of action would be to carefully monitor the situation and bring the enterprise’s activities in accordance with the law. The possibility of lobbying for your own interests should also be explored.
Limited system capacity
At the system design stage, you should definitely consider the possibility of its growth. Success is inextricably linked to loads, so the system must allow for equipment expansion.
Limited performance gains can be achieved by replacing hardware, but the speed of even the most advanced computer has a limit, so the software must provide the ability to distribute the load across multiple systems when the specified limit is reached. For example, a database management system must be able to process requests from multiple machines simultaneously.
System expansion is not painless, but timely planning at the development stage allows you to foresee many troubles associated with an increase in the number of clients and prevent them in advance.
Conclusion
Although connecting to the Internet provides enormous benefits due to access to a colossal amount of information, it is also dangerous for sites with low security levels. The Internet suffers from serious security problems that, if ignored, can spell disaster for unprepared sites. Errors in the design of TCP/IP, the complexity of host administration, vulnerabilities in programs, and a number of other factors together make unprotected sites vulnerable to the actions of attackers.
Organizations must answer the following questions to properly consider the security implications of Internet connectivity:
Can hackers destroy internal systems?
Could an organization's important information be compromised (modified or read) while being transmitted over the Internet?
Is it possible to interfere with the work of the organization?
These are all important questions. There are many technical solutions to combat the major Internet security problems. However, they all come at a price. Many solutions limit functionality in order to increase security. Others require significant compromises to be made regarding the ease of use of the Internet. Still others require the investment of significant resources - working time to implement and maintain security and money to purchase and maintain equipment and programs.
The purpose of an Internet security policy is to decide how an organization is going to protect itself. A policy usually consists of two parts - general principles and specific operating rules (which are equivalent to the specific policy described below). General principles guide the approach to Internet security. The rules determine what is allowed and what is prohibited. The rules may be supplemented by specific procedures and various guidelines.
It is true that there is a third type of policy that appears in the Internet security literature. This is a technical approach. In this publication, the technical approach will be understood as analysis that helps to implement the principles and rules of the policy. It is generally too technical and complex for organizational management to understand. Therefore, it cannot be used as widely as policy. However, it is required when describing possible solutions, identifying trade-offs that are a necessary element in describing policy.
For Internet policies to be effective, policymakers must understand the tradeoffs they will have to make. This policy should also not conflict with other governing documents of the organization. This publication attempts to provide technical professionals with the information they will need to explain to Internet policymakers. It contains a preliminary design of the policy, on the basis of which specific technical decisions can then be made.
The Internet is an important resource that has changed the way many people and organizations operate. However, the Internet suffers from serious and widespread security problems. Many organizations have been attacked or probed by attackers, causing them to suffer heavy financial losses and lose their prestige. In some cases, organizations were forced to temporarily disconnect from the Internet and spent significant amounts of money troubleshooting problems with host and network configurations. Sites that are unaware or ignore these issues put themselves at risk of online attack by malicious actors. Even those sites that have implemented security measures are exposed to the same dangers due to the emergence of new vulnerabilities in network programs and the persistence of some attackers.
The fundamental problem is that the Internet was not designed to be a secure network. Some of its problems in the current version of TCP/IP are:
The ease of intercepting data and falsifying addresses of machines on the network - the bulk of Internet traffic is unencrypted data. Emails, passwords and files can be intercepted using easily accessible programs.
Vulnerability of TCP/IP tools - a number of TCP/IP tools were not designed to be secure and can be compromised by skilled attackers; the tools used for testing are especially vulnerable.
Lack of policy - many sites are unknowingly configured in such a way that they provide wide access to themselves from the Internet, without taking into account the possibility of abuse of this access; Many sites allow more TCP/IP services than they need to operate and make no attempt to restrict access to information about their computers that could help attackers.
Difficult to configure—host access controls are complex; It is often difficult to correctly configure and verify the effectiveness of installations. Tools that are incorrectly configured by mistake may result in unauthorized access.
List of used literature
1. Materials from the information technology server - http://www. citforum.ru
2. What is e-commerce? V. Zavaleev, Center for Information Technologies. http://www.citforum.ru/marketing/articles/art_1.shtml
3. http://www.proms.ru/book-wicommerce_theory.html
4. Kantarovich A.A., Tsarev V.V. Textbooks for universities: Electronic commerce 2002, 320 Pages.
Information security of electronic commerce (EC)
The number of Internet users has reached several hundred million and a new quality has emerged in the form of a “virtual economy.” In it, purchases are made through shopping sites, using new business models, their own marketing strategy, etc.
Electronic commerce (EC) is a business activity for selling goods via the Internet. As a rule, there are two forms of EC:
* trade between enterprises (business to business, B2B);
* trade between enterprises and individuals, i.e. consumers (business to consumer, B2C).
EC has given rise to such new concepts as:
* Electronic store – display window and trading systems that are used by manufacturers or dealers when there is demand for goods.
* Electronic catalog – with a large assortment of products from various manufacturers.
* An electronic auction is an analogue of a classic auction using Internet technologies, with a characteristic connection to a multimedia interface, an Internet access channel and display of product features.
* An electronic department store is an analogue of a regular department store, where ordinary companies display their goods, with an effective product brand (Gostiny Dvor, GUM, etc.).
* Virtual communities (communities), in which buyers are organized by interest groups (fan clubs, associations, etc.).
Internet in the field of EC brings significant benefits:
* savings for large private companies from transferring purchases of raw materials and components to Internet exchanges reaches 25 - 30%;
* participation in the auction of competing suppliers from around the world in real time leads to a reduction in the prices they have programmed for the supply of goods or services;
* increasing prices for goods or services as a result of competition from buyers from all over the world;
* savings by reducing the number of required employees and the volume of paperwork.
The dominant position in EC in Western countries has become the B2B sector, which by 2007, according to various estimates, will reach from 3 to 6 trillion. dollars. The first to benefit from the transfer of their business to the Internet were companies selling hardware and software and providing computer and telecommunications services.
Each online store includes two main components:
electronic storefront and trading system.
The electronic storefront contains information about the goods sold on the Web site, provides access to the store database, registers customers, works with the buyer’s electronic “basket,” places orders, collects marketing information, and transmits information to the trading system.
The trading system delivers the goods and processes payment for them. A trading system is a collection of stores owned by different companies that rent space on a Web server owned by a separate company.
Online store operating technology looks like this:
The buyer selects the desired product on an electronic storefront with a catalog of goods and prices (Web site) and fills out a form with personal data (full name, postal and email addresses, preferred method of delivery and payment). If payment is made via the Internet, then special attention is paid to information security.
Transfer of completed goods to the trading system of the online store,
where the order is completed. The trading system operates manually or automatically. The manual system operates according to the Posyltorg principle, when it is impossible to purchase and set up an automated system, as a rule, when the volume of goods is small.
Delivery and payment of goods. The goods are delivered to the buyer
in one of the possible ways:
* store courier within the city and surrounding areas;
* specialized courier service (including from abroad);
* pick up;
* such specific information is delivered via telecommunications networks
product as information.
Payment for goods can be made in the following ways:
* preliminary or at the time of receipt of the goods;
* cash to the courier or when visiting a real store;
* by postal transfer;
* bank transfer;
* cash on delivery;
* using credit cards (VISA, MASTER CARD, etc.);
through electronic payment systems through individual commercial
banks (TELEBANK, ASSIST, etc.).
Recently, e-commerce or trade via the Internet has been developing quite rapidly in the world. Naturally, this process
carried out with the direct participation of financial institutions. And this method of trading is becoming increasingly popular, at least where the new electronic market can be used by a large part of businesses and the population.
Commercial activities on electronic networks remove some physical restrictions. Companies connecting their computer systems to
Internet, are able to provide customers with support 24 hours a day without holidays and weekends. Orders for products can be accepted at any time from anywhere.
However, this “coin” has its other side. Abroad, where e-commerce is most widely developed, transactions or the cost of goods are often limited to $300-400. This is due to the insufficient solution to information security problems in computer networks. According to the UN Committee on Crime Prevention and Control, computer crime has reached the level of one of the international problems. In the United States, this type of criminal activity ranks third in terms of profitability after arms and drug trafficking.
The volume of global e-commerce turnover via the Internet in 2006,
According to forecasts by Forrester Tech., it could range from 1.8 to 2 trillion. dollars. Such a wide forecast range is determined by the problem of ensuring the economic security of e-commerce. If security levels remain at current levels, global e-commerce turnover may be even smaller. It follows that it is the low security of the e-commerce system that is a limiting factor in the development of e-business.
Solving the problem of ensuring the economic security of e-commerce is primarily associated with solving the issues of protecting information technologies used in it, that is, ensuring information security.
The integration of business processes into the Internet environment leads to a fundamental change in the security situation. The creation of rights and responsibilities based on an electronic document requires comprehensive protection from the entire range of threats, both the sender of the document and its recipient. Unfortunately, managers of e-commerce enterprises are duly aware of the seriousness of information threats and the importance of organizing the protection of their resources only after the latter are subject to information attacks. As you can see, all of the listed obstacles relate to the field of information security.
The basic requirements for conducting commercial transactions include confidentiality, integrity, authentication, authorization, guarantees and secrecy.
When achieving information security, ensuring its availability, confidentiality, integrity and legal significance are basic tasks . Each threat must be considered in terms of how it might affect these four properties or qualities of secure information.
Confidentiality means that restricted information should only be accessible to those for whom it is intended. Under integrity information is understood as its property of existence in an undistorted form. Availability information is determined by the system’s ability to provide timely, unimpeded access to information to subjects who have the appropriate authority to do so. Legal significance information has become important recently, along with the creation of a regulatory framework for information security in our country.
If the first four requirements can be met by technical means, then the fulfillment of the last two depends on both technical means and the responsibility of individuals and organizations, as well as on compliance with laws that protect consumers from possible fraud by sellers.
As part of ensuring comprehensive information security, first of all, it is necessary to highlight the key problems in the field of electronic security business which include:
protection of information during its transmission via communication channels; protection of computer systems, databases and electronic document management;
ensuring long-term storage of information in electronic form; ensuring transaction security, confidentiality of commercial information, authentication, intellectual property protection, etc.
There are several types of e-commerce threats:
Penetration into the system from the outside.
Unauthorized access within the company.
Intentional interception and reading of information.
Intentional disruption of data or networks.
Incorrect (for fraudulent purposes) identification
user.
Hacking of software and hardware protection.
Unauthorized user access from one network to another.
Virus attacks.
Denial of service.
Financial fraud.
To counter these threats, a number of methods based on various technologies are used, namely: encryption - encoding data that prevents it from being read or distorted; digital signatures that verify the identity of the sender and recipient; stealth technologies using electronic keys; firewalls; virtual and private networks.
No method of protection is universal; for example, firewalls do not check for viruses and are unable to ensure data integrity. There is no absolutely reliable way to counteract hacking of automatic protection, and it is only a matter of time before it is hacked. But the time it takes to break such protection, in turn, depends on its quality. It must be said that software and hardware to protect connections and applications on the Internet have been developed for a long time, although new technologies are being introduced somewhat unevenly.
Which threats are lying in wait for an e-commerce company at every stage :
substitution of the web page of the electronic store server (redirection of requests to another server), making information about the client, especially about his credit cards, available to third parties;
creation of false orders and various forms of fraud on the part of employees of an electronic store, for example, manipulation of databases (statistics show that more than half of computer incidents are associated with the activities of their own employees);
interception of data transmitted over e-commerce networks;
penetration of attackers into the company’s internal network and compromise of electronic store components;
