INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING JOURNAL OF and Technology (IJCET), ISSN 0976International Journal of & TECHNOLOGY (IJCET) 6367(Print), ISSN

0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), pp. 46-53 IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2012): 3.9580 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

PROTECTIVE MEASURES IN E-COMMERCE TO DEAL WITH SECURITY THREATS ARISING OUT OF SOCIAL ISSUES A FRAMEWORK
1

Biswajit Tripathy1, Jibitesh Mishra2 Associate Professor , Dept of Computer Science & Engg, Synergy Institute of Engineering & Technology, Dhenkanal 759 001(India), email: biswajit69@gmail.com 2 Associate Professor, HOD, Dept of Computer Sc & Engg, ,College of Engineering & Technology,Ghatikia, Bhubaneswar (India), email:mishrajibitesh@gmail.com

ABSTRACT In the early 1990s due to Internet when computers became popular with the masses, and knowledge workers began to outnumber factory workers, the era of information revolution began. The dawn of the internet era has significantly changed the way people and organizations around the world interact with each other. Vendors around the world have started setting up shops over the web. Entire market places for trade and commerce have sprung up online. In a country like India where entrepreneurs are born in every nook and corner, e-commerce provides a low investment high return opportunity. Traditional businesses have taken their wares over the net and profited immensely from it. Now the whole world is their market place. This article give an account of the security aspects and the different threats to social issues, the causes and remedial measures to such issues. Keywords: Threats, Privacy, Security, e commerce 1. INTRODUCTION India, an emerging economy, has witnessed unprecedented levels of economic expansion, along with countries like China, Russia, Mexico and Brazil. India, being a cost effective and labor intensive economy, has benefited immensely from outsourcing of work from developed countries, and a strong manufacturing and export oriented industrial framework. In 2009 out of $161.3 billion most of the FDI went to the IT and ITeS sector. Experts expect the Indian economy to be the worlds biggest economy by 2040.
46

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

Indias software export revenue expecting a growth rate by 13-14% .The IT and Software industry is a major economy player in India. Mainly based on IT software and facilities such as system integration, software experiments, custom application development and maintenance (CADM), Network and IT services and solutions; the countrys IT-BPO industry expanded by 12% during fiscal year 2009, and attained aggregate returns of US$71.6 Billion. Out of the derived revenue, US$59.6 billion was directly generated by the software and services sector alone. Market research firm IDC India in a recent study has said that Indias information technology and IT-enabled services industry will more than $132 billion by 2012 due to one of the main factor of expanding of domestic market in India[2-8]. The dawn of the internet era has significantly changed the way people and organizations around the world interact with each other. India with 81 millions internet users as compare to 825 Millions in Asia and 1966.5 millions World, India stood fourth in World as per the user. Internet was earlier only a medium of transferring data or communication has now been replaced by a wider range of application termed as e-commerce. Products and services are now just a click away. Secure online transactions provided by vendors Visa and Mastercard etc as well as online bank transfers have only added to the confidence of audiences willing to participate in online commerce. The emergence of web 2.0 only fueled this trend even further. Vendors around the world have started setting up shops over the web. Entire market places for trade and commerce have sprung up online[8,9]. In India where entrepreneurs are born in every nook and corner, e-commerce provides a low investment high return opportunity. Traditional businesses are profited immensely by utilizing this opportunity. Now the whole world is their market. It started slowly with bazee.com leading the way. Slowly trade portals and online travel portals joined the bandwagon. After e-bay acquired bazee.com, the level of access that users had to ecommerce increased significantly. Although by most references India only accounts for approximately 2% of the ecommerce in the Asia-Pacific region, the amount in figures is staggering. It was estimated at around $2.1 billion in 2008 and predicted to grow to around $6 billion by 2011. In fact that only 6.9% of the Indian population has access to the internet in 2010[9]. II. SECURITY ASPECTS

Privacy and security can be viewed as ethical questions. At the same time the privacy and security area attracts a large amount of attention from the commercial sector because it has the potential to determine the success or failure of many business ventures, most obviously e-commerce activities. Privacy and security are often described in terms of ethics and therefore taken to be of an ethical nature. At the same time, they are used by commercial organizations to promote their particular, usually financial but often also political, objectives. This is problematic because the commercial use of the terms privacy and security promotes a particular ideology and uses the ethical recognition of the concepts to limit critical discourses. There are general definitions, such as the classical one By Landwehr, which states that a system is secure if it adequately protects information that it processes against unauthorized disclosure, unauthorized modification, and unauthorized withholding. Unfortunately, the text goes on to say that no practical system can achieve these goals
47

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

simultaneously and that security is inherently relative. Security is thus important for the ability to interact with others in a self-confident manner. It is also required to develop relationships of trust with others.[1]. Privacy concerns have garnered much attention in recent years with the rise in identity fraud and the new capabilities to collect and process information brought about by technology. During 1998 to 2003, there have been a reported 27.3 million cases of identity fraud accounting for nearly $48 billion in losses to financial institutions and $5 billion worth of out-of-pocket expenses to consumers, according to the Federal Trade Commission (FTC) report in 2003.[ 2]. Strengthening the trust framework, including information security and network security, authentication, privacy and consumer protection, is a prerequisite for the development of the Information Society and for building confidence among users . In a nutshell, the perception of cyber-threats therefore has two main aspects: On one side A new kind of vulnerability due to modern societys dependency on inherently insecure information systems, and the expansion of the threat spectrum, especially in terms of malicious actors and their capabilities, on the other side[10]. III. THREAT CAUSES

It was only in the early 1990s that a confluence of events brought about what can be described as a techno-crescendo of information revolution dreams, when computers became popular with the masses, and knowledge workers began to outnumber factory workers[11]. One major reason for the rise of identity fraud is that increases in Internet transactions make the authentication of persons more difficult than ever before, because there is no human contact and less opportunity for identification checks. Hence, methods for identification and verification in e-commerce environments are becoming increasingly necessary to avoid potential issues such as identity fraud. Online banking, electronic financial transactions, online data stores, and Internet commerce, for example, are becoming extremely popular and the technologies to prevent misuse of these systems continue to expand as their importance increases and the potential for financial loss grows[2]. Potentially damaging events that could happen to the information infrastructure can be commonly categorized as failures, accidents, and attacks. These events are only considered to be potentially damaging, because not all events actually produce harmful results system failure will not occur as long as the error does not reach the service interface of the system, and might go unobserved[9]. Failures are potentially damaging events caused by deficiencies in the system or in an external element on which the system depends. Failures may be due to software design errors, hardware degradation, human errors, or corrupted data.

48

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

Accidents include the entire range of randomly occurring and potentially damaging events such as natural disasters. Usually, accidents are externally generated events from outside the system, whereas failures are internally generated events. It is found statistically, out of various causes for cyber threats some of the biggest threats are from attacks committed by insiders individuals who are, or previously had been, authorized to use the information systems they eventually employ to spread harm[10]. In fact, different types of hackers must be distinguished[14], mainly by their motivation and skill level: Script kiddies: The more immature but unfortunately often just as dangerous exploiter of security lapses on the Internet. The driving force of script kiddies has been shown to be boredom, curiosity, or teenage bravado. Hacktivists: If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends". Cracker or Black Hat Hacker: Someone who (usually illegally) attempts to break into or otherwise subvert the security of a program, system, or network, often with malicious intent. Hackers themselves like to distinguish between this type of hacker and Sneakers or White Hat Hackers, which is someone who attempts to break into systems or networks in order to help the owners of the system by making them aware of security flaws in it. Some of the key issues that can create threats to the e-commerce application is given below: Gathering information about employees through mailers e.g. survey etc. Gathering information about employees by developing relationships Forensic analysis of the hard drives, memory sticks etc. Pretending to be a senior manager or helpless user Pretending to be a technical support engineer Disgruntled employees Basically, there are two threat scenarios one from hackers and individuals termed as unstructured, and the other from foreign nation states termed as structured threat[16]. The unstructured threat is random and relatively limited & it consists of adversaries with limited funds and organization and short-term goals. These actors have limited resources, tools, skills, and funding to accomplish a sophisticated attack. However, such attacks might cause considerable damage if they are sufficiently foolish or lucky. The structured threat is considerably more methodical and better supported. These adversaries have all-source intelligence support, extensive funding, organized professional support, and long-term goals. Foreign intelligence services, criminal elements, and professional hackers involved in information warfare, criminal activities, or industrial espionage fall into this threat category[17]. The following is an overview of important common issues currently discussed in the context of legislation procedures in the countries covered in the handbook[18]:

49

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

Data protection and security in electronic communications; IT security and information security requirements; Fraudulent use of computer and computer systems, damage to or forgery of data, and similar offences; Protection of personal data and privacy; Identification and digital signatures; Responsibilities in e-Commerce and e-Business; International harmonization of cybercrime law; Minimum standards of information security for e-governance, service providers, and operators, including the implementation of different security standards such as BS7799, the code of practice for information security management ISO/IEC 17799, the Common Criteria for Information Technology Security Evaluation ISO/IEC 15408, and others; Public key infrastructure and its regulation.

Across all boundaries, there are two main factors that influence and sometimes even hinder efficient law enforcement one with a national, the other with an international dimension: Lack of know-how or of functioning legal institutions: Even if a country has strict laws and prohibits many practices, the enforcement of such laws is often difficult. Frequently, the necessary means to effectively prosecute misdemeanours are lacking, due to resource problems, inexistent or emerging cyber-crime units, or a lack of supportive legislation, such as the storing of rendition data[10]. Lack or disparity of legal codes: While most crimes, such as theft, burglary, and the like are punishable offences in almost every country of the world, some rather grave disparities still remain. For example, in most European countries, it is illegal to publish right-wing extremist or anti-Semitic statements on the Internet. However, the US does not prosecute such offences if committed within its borders, as they are usually protected by the First Amendment to the Constitution, which guarantees freedom of speech[19]. IV. MEASURES TO REMOVE THREATS

In the following, we will look more closely at four possible categories of initiatives launched by multilateral actors: deterrence, prevention, detection, and reaction. Deterrence or the focus on the use of multilateral cyber-crime legislation: Multilateral initiatives to deter the malicious use of cyberspace include initiatives to a) harmonize cyber-crime legislation and to promote tougher criminal penalties (e.g. the Council of Europe Convention on Cybercrime) [20], and b) improve e-commerce legislation (e.g., the efforts of the United Nations Commission on International Trade Law (UNCITRAL) for electronic commerce) [21]. Prevention or the design and use of more secure systems, better security management and the promotion of more security mechanisms: Multilateral initiatives to prevent the malicious use of cyberspace centre around a) promoting the design and use of more secure information systems[22]; b) improving information security management in the organizations of all sectors (e.g., the ISO and OECD standards and guidelines initiatives) [23]; c) legal and technological initiatives such as the promotion of security mechanisms (e.g., electronic signature legislation in Europe).
50

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

Detection or cooperative policing mechanisms and early warning of attacks: Multilateral initiatives to detect the malicious use of cyberspace include a) the creation of enhanced cooperative policing mechanisms (e.g., the G-8 national points of contact for cyber-crime); and b) early warning through information exchange with the aim of providing early warning of cyber-attack by exchanging information between the public and private sectors (e.g., US Information Sharing & Analysis Centers, the European Early Warning & Information System, and the European Network and Information Security Agency (ENISA)). Reaction or the design of stronger information infrastructures, crisis management programs, and policing and justice efforts: Multilateral initiatives to react to the malicious use of cyberspace include a) efforts to design robust and survivable information infrastructures; b) the development of crisis management systems; and c) improvement in the coordination of policing and criminal justice efforts[24].

In order to counter the security threats due to the social factors, some recommendations can be mentioned as given below. A well documented Security Policy accessible to employees & training provided to the employees Awareness of threats and impact of social engineering on the company Implementation of proper security audit Proper Identity Management policy for authentication Clear cut operating policies & procedures to limit vulnerabilities. Use of advanced physical solutions such as intelligent revolving doors, biometric systems, etc. to eliminate or reduce unauthorized physical access Also along with each policy, the standards and guidelines to be followed should be clearly explained. Some of the broad outlines of this policy should include the following: Computer system usage: Monitoring the usage of the use of non-company standard mails or activity. Proper Information classification and handling: Confidential information should be properly classified and should not be available to everybody. Personnel security: Proper screening new employees and other visitors to ensure that they do not pose a security threat. Physical security: Proper authentication process for allowing employees to secure portions inside the company e.g. sign in procedures through electronic and biometric security devices etc. Information access: Password usage and guidelines for generating secure passwords, access authorization. Protection from viruses: Working policies for protection of the systems from viruses and other threats. Security awareness training: This ensures that employees are kept informed of threats and counter measures. Compliance monitoring: This ensures that the security policy is being complied with. Documentation destruction: All information should be disposed of by shredding not by discarding in the trash or recycle bins.

51

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME

V.

CONCLUSION

Insider threats are a major social issue that causes extensive damage to any system. A more generalized framework has been proposed in the article that covers different organizations/agencies. This framework will guide the e-commerce companies in establishing a more secure system. However, a localized policy has to be made for each companies in order to address the local social issues. Apart from these proper training guidelines to the general users working in the company/organization needs to be frame. REFERENCES
1. 2.

3. 4. 5. 6. 7. 8. 9. 10.

11. 12.

13.

14. 15.

Stahl B C: Privacy and Security as Ideology by IEEE Technology & Society Magazine, SPRING,IEEE page:35-45(2007) Taner Pirim, et al :An empirical Investigation of an Individuals Perceived need for Privacy and Security, , International Journal of Information Security and Privacy, Volume 2, Issue 1 edited by Hamid R. Nemati 2008, IGI Global, Page 42-53(2008) http://www.economywatch.com/indianeconomy/indian-economy-overview.html visited on 2.January.2013. http://teck.in/indias-software-export-revenue-to-grow-by-13-14-in-fy-2010-2011.html visited 2 jan 2013. http://www.intology.com/business-finance/indian-it-industry-revenue-to-be-morethan-doubled-by-2012/ visited 2 Jan 2013. http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=53404 visited 2 Jan 2013. http://economictimes.indiatimes.com/tech/internet/wikileaks-to-publish-files-onaliens-ufos/articleshow/7042278.cms visited on 2 Jan 2013. http://www.internetworldstats.com/stats.htm visited on 2 jan 2013. http://www.chillibreeze.com/articles_various/ecommerce-India.asp) visited on 2 jan 2013. Myriam Dunn: A comparative analysis of cyber security initiatives worldwide international telecommunication union, WSIS Thematic Meeting on Cyber security, Geneva, Center for Security Studies, Swiss Federal Institute of Technology (ETH Zurich) for the WSIS Thematic Meeting on Cyber security.(2005) Kushnick, Bruce: The Unauthorized Biography of the Baby Bells & Info-Scandal (New Networks Institute): p. 22.( (1999) Avizienis et al.; Fundamental concepts of Dependability, Research report N01145(2000);Office of the Critical Infrastructure Protection and Emergency Preparedness(OCIPEP),( 2003). U.S. Secret Service and Carnegie Mellon University Software Engineering Institute Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. URL: http://www.secretservice.gov/ntac_its.shtml((2005) Levy, Steven: Hackers Heroes of the Computer Revolution (New York: Anchor Press)(1984). Denning, Dorothy E: Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, presented at Internet and International Systems: Information Technology and American Foreign Policy Decision making Workshop, (1999).
52

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 6375(Online) Volume 4, Issue 1, January- February (2013), IAEME
16. 17. 18.

19.

20. 21. 22. 23.

24.

25.

26.

27.

28.

29.

30.

31.

National Academy of Sciences, (1991). Minihan,Kenneth A.: Prepared statement before the Senate Governmental Affairs Committee,24 June 1998. (1998) Finnish Communications Regulatory Authority: Information Security Review Related to the National Information Security Strategy (24 May 2002). URL http://www.ficora.fi/englanti/document/review.pdf. (2002) Gelbstein, Eduardo and Ahmad Kamal: Information Insecurity. A Survival Guide to the Uncharted Territories of Cyber threats and Cyber security. United Nations ICT Task Force and United Nations Institute for Training and Research (New York, November 2002). URL:http://www.un.int/unitar/patit/dev/oldsite/curriculum/ Information_Insecurity_Second_Edition_PDF.pdf(2002). Council of Europe Convention on Cybercrime. URL:http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm . http://www.uncitral.org/english/workinggroups/wg_ec/index.htm. http://www.commoncriteriaportal.org/. The International Organization for Standardization ISO has developed a code of practice for information security management (ISO/IEC 17799:2000). URL: http://www.iso.org/iso/en/prodsservices/popstds/-informationsecurity.html. The Organisation for Economic Co-operation and Development (OECD) promotes a culture of security for information systems and networks. URL: http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.ht ml . Porteous, Holly: Some Thoughts on Critical Information Infrastructure Protection, in: Canadian IO Bulletin, 2, 4, October. URL: http://www.ewa-canada.com/Papers/IOV2N4.htm(1999). L. Chandra Sekaran and Dr. S. Balasubramanian, Website Based Patent Information Searching Mechanism, International journal of Computer Engineering & Technology (IJCET), Volume1, Issue2, 2010, pp. 180 - 191, Published by IAEME M. B. Thulase and Dr. G. T. Raju, Website Based Patent Information Searching Mechanism, International journal of Computer Engineering & Technology (IJCET), Volume3, Issue2, 2012, pp. 487 - 498, Published by IAEME Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, Wireless Sensor Networks: Limitation, Layerwise Security Threats, Intruder Detection, International journal of Electronics and Communication Engineering &Technology (IJECET), Volume3, Issue2, 2012, pp. 22 - 31, Published by IAEME. Dr. V.Antony Joe Raja, The Study of E-Commerce Service Systems In Global Viral Marketing Strategy, International Journal of Marketing & Human Resource Management (IJMHRM), Volume3, Issue1, 2012, pp. 9 - 18, Published by IAEME. Mahmoud M. Maqableh, Secure Hash Functions Based On Chaotic Maps For ECommerce Applications, International Journal of Information Technology and Management information System (IJITMIS), Volume1, Issue1, 2010, pp. 12 - 22, Published by IAEME. Gurudatt Kulkarni, Ruchira Chandorkar and Nikita Chavan , A Security By Biometric Authentication, International Journal of Computer Science and Engineering Research and Development (IJCSERD), Volume 2, Number 1, 2012 pp. 7 - 14, Published by PRJpublication.

53