Security in Electronic Commerce,- Doing business on the Internet is quite profitable, because by using the Internet, a company’s products are not only visible in the city or countryside, but its reach reaches national and even international dimensions. Doing business over the Internet also has several advantages, such as wider product knowledge, increased business efficiency, not limited by space and time, etc.
Electronic commerce is a form of electronic commerce conducted through the internet media. It can operate 2 hours a day, 7 days a week, and its wide market share varies from local to international.
E-commerce allows customers to do business quickly and at low cost without complicated processes, where the buyer only needs to go to the website of the company that advertises its products on the Internet, then the buyer only needs to be familiar with the terms. . and conditions. and the terms and conditions (conditions) of the seller.
In addition to the positive side, e-commerce also has a negative side, which is vulnerable to cybercrime such as identity theft and customer fraud, credit card crime, phishing, spammers. and so on.
Such security threats make customers afraid to transact and then return to traditional business practices. The aforementioned problems can be prevented if e-commerce merchants are aware of the importance of security. The most important thing to consider when conducting digital transactions is to maintain security.
The dimensions of e-commerce security are as follows: (1) authentication, buyers, sellers and payment institutions must verify their identity as authorized persons for transactions, as shown in Figure 1; (2) integrity, a guarantee that the data transmitted to electronic commerce remains intact and unchanged; (3) non-refusal, customers need protection if the seller refuses to deliver the goods or fails to pay. Such information is needed to identify the sender and receiver; (4) privacy, customers want their identity to be secure. They do not want others to know what they are buying; (5) security, customers want to ensure that the transmission of credit card number information over the Internet is secure.
In addition, there are several methods and mechanisms that can be used to fulfill the above dimensions of e-commerce security, namely:
Public Key Infrastructure (PKI)
Allows users who are basically insecure on public networks such as the Internet, then PKI feels secure and privately exchanges money and information through public services.
Public key algorithm
Also known as asymmetrical algorithms, these are algorithms that use different keys for encryption and decryption.
Digital signature
A digital signature is an electronically generated signature that better guarantees the security of information and the authenticity of data, as well as assurance of the identity of the sender and the correctness of the information or data packet.
Digital Certificate
A Certificate Authority is a trusted third party (TTP). An authorization certificate that binds a key to its owner. This TTP issues a certificate that contains the person’s identity and also the person’s private key.
Secure Socket Layer (SSL)
A protocol that creates a secure pipe between the browser cardholder and the merchant so that hackers or attackers cannot intercept or hijack the data flowing in the pipe. In use, SSL is used in conjunction with other protocols such as HTTP (Hyper Text Transfer Protocol) and certificates.
Transport Layer Security (TLS)
is an encryption protocol that provides secure communication on the Internet, such as email, Internet fax, and other data transmission.
Secure Electronic Transaction (SET)
is a combination of public/private key technology and digital signatures. For encryption, the public key uses 56-102-bit encryption, so the combination level of encryption is very high. In the transaction, the witness creates a digital certificate containing the cardholder’s identity information and public key, as well as “hidden” information about the credit card number, so it is as if the cardholder has a digital “ID card”. The cost of building SET infrastructure is relatively expensive, which is one of its weaknesses.
Information Security Threats in E-Commerce
Some common information security threats on e-commerce sites include credit card fraud. Skimming is buying goods online using an illegal credit card. Fraudsters usually take several steps in their crime, namely (1) obtaining a credit card number, which can be done through various means, including phishing, hacking, snooping, keylogging, worms, and others.
Information sharing between card issuers, website visitors who provide credit card numbers specific to the card, and other services designed to obtain credit card numbers; (2) visiting online stores such as Ebay, Amazon and then the card manufacturer will test the number they need to see if the card is still valid or the limit is sufficient; (3) making online purchase transactions of goods as if the cardholder is the real cardholder; (4) determining the destination or delivery address; (5) Pickup of goods by carters.
As we all know, according to an AC Nielsen survey in 2001, Indonesia was ranked 6th in the world and 4th in Asia in terms of sources of carding crimes and had less than 10% internet usage. As a result, Indonesia was blacklisted as a shipping destination by many websites. That’s why Indonesian cardists in Yogyakarta, Bali, Bandung, and Jakarta usually use addresses in Singapore or Malaysia as intermediary addresses, which already have partners in those countries.
Dos (Denial of Service Attacks) and DDos (Distributed Dos)
A Denial of Service attack is a type of attack against a computer or server on the Internet that consumes computer resources until the computer cannot perform its functions properly. indirectly prevents other users from accessing the services of the attacked computer. In a denial of service attack, the attacker tries to prevent users from accessing the system or network through certain means, such as traffic flooding or request flooding. Meanwhile, Distributed Dos is a type of denial-of-service attack that uses multiple attacker hosts (either computers designed to be attacked or computers that are “forced” to become zombies) to attack a single target server on the network. Distributed Dos is a type of attack often used by popular websites like Yahoo!, Amazon, and eBay.
Social Engineering
The simplest and most lucrative attack is the use of social engineering techniques. The attacker obtains confidential/sensitive information by deceiving the owner of the information. Social engineering is usually done over the phone or internet. A common scenario is for the attacker to call shoppers and pretend to be a representative of the website they are buying goods from and collect important information. The attacker then calls the site’s customer service and pretends to be the buyer and tells them the personal information they previously received from the buyer. The attacker then asks the customer service to reset the existing password.
For example, someone pretends to be a ticket seller and calls one of the company’s employees to confirm that his vacation tickets are booked and ready to be issued. The order is placed with the name and position of the item in the company, and the information should match the item. Of course, the target does not want to order the tickets, and the attacker still has to match the name and employee number. This information can be used as a source of information when switching to a system with the target company.
Another form is phishing. If there is a typo, the buyer goes to an unauthorized site and provides confidential information in their possession. Attackers can pretend to send a fake email that appears to come from a legitimate website and then take the information it contains. Malicious code An executable program, either a macro or a script, created to damage a computer system. It can take the form of a virus, worm or trojan. If an ecommerce site has this malicious code, it is likely that the visitor’s computer is also infected. ID/password forgery can occur with this malicious code.
