Information security in e-commerce systems. “Electronic commerce security. Main directions of information protection

Introduction………………………………………………………………………..…3
1.Electronic commerce and the history of its development……………………….............. ..5
1.1. History of e-commerce……………………………………………………...6
2. E-commerce security………………………………………..8
2.1. Risks and threats……………………………………………………….…… ...11
Conclusion…………………………………………………………………….17
List of references……………………………………………………………... 20

Introduction

The global Internet has made e-commerce accessible to companies of any size. If earlier the organization of electronic data exchange required significant investments in the communication infrastructure and was only feasible for large companies, then the use of the Internet today allows small firms to join the ranks of “electronic traders”. An electronic storefront on the World Wide Web gives any company the opportunity to attract customers from all over the world. Such an on-line business forms a new sales channel - “virtual”, which requires almost no material investments. If information, services or products (for example, software) can be delivered via the Web, then the entire sales process (including payment) can take place online.
The definition of e-commerce includes not only Internet-oriented systems, but also “electronic stores” that use other communication environments - BBS, VAN, etc. At the same time, sales procedures initiated by information from the WWW, but using fax, telephone, etc. for data exchange, can only be partially classified as e-commerce. We also note that, despite the fact that the WWW is the technological basis of e-commerce, a number of systems also use other communication capabilities. Thus, requests to the seller to clarify product parameters or to place an order can also be sent via email.
Today, the dominant means of payment for online purchases are credit cards. However, new payment instruments are also entering the scene: smart cards, digital cash, micropayments and electronic checks.
E-commerce includes not only on-line transactions. The area covered by this concept must also include such activities as conducting marketing research, identifying opportunities and partners, maintaining relationships with suppliers and consumers, organizing document flow, etc. Thus, e-commerce is a complex concept and includes electronic exchange data as one of the components.

E-commerce is a type of economic activity to promote goods and services from producers to consumers through electronic computer networks. In other words, e-commerce is the marketing, acquisition and sale of goods and services through computer networks, mainly the Internet. E-commerce provides new opportunities to improve the efficiency of commercial activities in general.
Unlike traditional commerce, e-commerce provides the following opportunities to companies:
A) Sell your products via the Internet;
B) Develop and coordinate relationships with consumers and suppliers;
B) Exchange goods and services electronically;
D) Reduce the price of delivery of digital products and after-sales customer support;
D) Respond quickly to market changes;
E) Reduce overhead costs;
G) Improve customer service and introduce your own services for customers;
H) Expand the circle of consumers;
I) Take into account the individual needs of the buyer;
E-commerce allows buyers to:
A) Buy goods at any time and anywhere;
B) Conduct a comparative analysis of prices and choose the best;
C) Get simultaneous access to a wide range of products;
D) Choose convenient mechanisms for making purchases;
D) Receive information and news depending on your preferences.
1.1 History of e-commerce

The first e-commerce systems appeared in the 1960s in the USA. They were used in transport companies to exchange data between various services when preparing flights and for booking tickets.
Initially, such commerce was conducted using networks outside the Internet, using special standards for electronic data exchange between organizations.
By the late 1960s, there were four industry standards in the United States for data exchange among various transportation companies. To combine these standards, a special Transport Data Harmonization Committee was created in 1968. the results of the work formed the basis of the new EDI standard.
In the 1970s, similar events occurred in England. In this country, the main area of application of EDI was not transport, but trade. The set of Tradacoms specifications selected here has been adopted by the United Nations Economic Commission for Europe as a standard for data exchange in international trade organizations.
In the 1980s, work began to combine European and American standards. As a result of this work, the 42nd session of the Working Party on International Trade Facilitation in September 1996 adopted Recommendation No. 25, “Use of the United Nations Standard for Electronic Data Interchange in Administration, Commerce and Transport.”
Thus. In the early 1990s, the EDI-FACT standard emerged and was adopted by ISO (ISO 9735).
But the final merger of American and European standards did not happen. A new, more promising opportunity has emerged for electronic data exchange – data exchange via the Internet.
The development of the Internet with its low cost of data transmission has made modernization of EDI systems urgent. As a result, in the mid-1990s, another standard was developed - EDIFACT over Internet (EDIINT), which describes how to transmit an EDI transaction using the SMTP/S-MIME secure email protocols.
For the emergence and growth of popularity of e-commerce, there are a number of demographic and technological prerequisites, such as:
a) widespread access to information technology, in particular computers and the Internet;
b) increasing the level of education of society and, consequently, more free handling of technology;
c) technological progress and the digital revolution have made it possible for many digital devices to interact with each other, such as a computer, mobile phone, etc.;
d) globalization, open economy, competition on a global scale;
e) accessibility of e-commerce to anyone, at any time, and in any place.
f) desire to save time;
g) growth in the range of goods and services, increasing demand for special goods and services.

One of the main problems of e-commerce today remains the problem of security, i.e. minimizing risks and protecting information.
The reasons for disruption of the normal functioning of a company on the Internet can be: computer viruses, fraud leading to financial losses; theft of confidential information; illegal interference in files with confidential information about consumers, etc.
The degree of protection of an electronic company's website depends on the level of confidentiality of its information and the need for its compliance. So, for example, if credit card numbers are entered on a website, then it is necessary to ensure the highest degree of protection for the web server.
The tasks of maintaining security in e-commerce come down to user authentication, maintaining confidentiality and integrity of information: authentication - checking the authenticity of the user; confidentiality – ensuring the preservation of private information provided by the user; integrity of information – absence of distortions in the transmitted information.
Hackers and viruses can pose a threat to the integrity of information on a web server.
A hacker penetrates weakly protected computers and servers and installs special programs - invisible ones, which are quite difficult to detect. Typically, such an invisible program does not harm the website, but creates great congestion on the network. The hacker determines the target of his attack and activates a pre-installed program, sending a command over the Internet to several computers. This begins an attack that overloads a commercial enterprise's network.
Another serious type of security breach of computers and servers on the Internet is a virus. Viruses violate the integrity of the system and mislead information security measures. The best means of protecting against viruses is to install and periodically update anti-virus programs, as well as use firewalls. A firewall is a filter installed between a corporate network and the Internet to protect information and files from unauthorized access and to allow access only to authorized persons. Thus, the firewall prevents computer viruses and hackers from entering the enterprise network and protects it from external influence when connected to the Internet.
When implementing e-commerce, one of the most important issues is information confidentiality. Information provided by the user to the company must be reliably protected. One of the ways to ensure secure and confidential data transmission over computer networks is cryptography, i.e. encrypting or encoding data so that only the parties involved in a particular transaction can read it.
When encrypting, the sender of a message converts the text into a set of characters that cannot be read without using a special key known to the recipient. The key to the cipher is a sequence of characters stored on a computer's hard drive or floppy disk. The degree of information security depends on the encryption algorithm and the key length, measured in bits.
There are two types of encryption algorithms:

One of the most well-known and promising methods of authenticating the sender of messages is an electronic digital signature (EDS) - the electronic equivalent of a handwritten signature. The first digital signature was proposed in 1976 by Whitfield Diffie from Stanford University. The Federal Law of the Russian Federation “On Electronic Digital Signature” states that an electronic digital signature is a requisite of an electronic document intended to protect this document from forgery, obtained as a result of cryptographic transformation of information using the private key of an electronic digital signature and allowing to identify the owner of the signature key certificate, and also establish the absence of distortion of information in the electronic document.
The process of applying an electronic digital signature is as follows:
1. the sender creates a message and encrypts it with his private key, which at the same time is the electronic digital signature of the sender. In this case, both the text of the communication itself and the digital signature attached at the end of the document are encrypted.
2. the sender transmits the encrypted letter and his public key via communication channels to the recipient;
3. The recipient decrypts the message using the sender's public key.
4. Together with the digital signature, one of the existing Hash functions is usually used. The HASH function produces a string of characters, called a message summary, while processing the message. The sender creates a summary of the message, encrypts it and also forwards it to the recipient. The recipient processes the message with the same HASH function and also receives a summary of the message. If both message summaries match, then the message was received without corruption.
5. Digital certificates are used to confirm the ownership of a public key to a specific person or commercial enterprise. A digital certificate is a document issued by a certification authority to confirm the identity of a specific person or enterprise by verifying its name and public key. To obtain a digital certificate, you must contact the certification center and provide the necessary information. Each certificate authority sets its own prices and, as a rule, issues a digital certificate for a year with the possibility of renewal after payment for the next year.
To address security issues, e-commerce companies use SSL and SET technology.
The SSL protocol is the main protocol used to protect data transmitted over the Internet. This protocol is based on a combination of asymmetric and symmetric encryption algorithms. It provides three main functions: server authentication, client authentication, and SSL encrypted connection.
The SET protocol is a protocol used for transactions between commercial banks and credit card customers.

Any business is associated with risks arising from competition, theft, instability of public preferences, natural disasters, etc. However, the risks associated with e-commerce have their own characteristics and sources, including:
Burglars.
Inability to attract companions.
Equipment failures.
Power, communication lines or network failures.
Dependence on delivery services.
Intense competition.
Software errors.
Changes in policy and taxation.
Limited system capacity.

Burglars
The most popular threat to e-commerce comes from computer hackers. Any enterprise is subject to the threat of attack by criminals, and large e-commerce enterprises attract the attention of computer hackers of various skill levels.
The reasons for this attention are varied. In some cases it is simply a “pure sporting interest”, in others a desire to do harm, steal money or purchase a product or service for free.
Site security is ensured by a combination of the following measures:
Back up important information.
Personnel policy that allows you to attract only conscientious people to work and encourage conscientiousness of staff. The most dangerous hacking attempts come from within the company.
Using software with data protection capabilities and updating it in a timely manner.
Training personnel to identify targets and recognize system weaknesses.
Auditing and logging to detect successful and unsuccessful hacking attempts.
Typically, hacking is successful due to easy-to-guess passwords, common configuration errors, and failure to update software versions in a timely manner. To protect yourself from a not-so-sophisticated burglar, it is enough to take relatively simple measures. As a last resort, there should always be a backup copy of critical data.

Inability to attract companions
While hacker attacks are the biggest concern, most e-commerce failures still stem from traditional economic factors. Creating and marketing a large e-commerce site requires a lot of money. Companies prefer short-term investments, offering immediate growth in customers and revenue once the brand is established in the market.
The collapse of e-commerce led to the ruin of many companies that specialized only in it.

Equipment failures
It is quite obvious that the failure of an important part of one of the computers of a company whose activities are focused on the Internet can cause significant damage to it.
Protection against downtime for sites that operate under high load or perform important functions is provided by duplication, so that the failure of any component does not affect the functionality of the entire system. However, here too it is necessary to evaluate the losses from possible downtime in comparison with the costs of purchasing additional equipment.
Lots of computers running Apache, PHP and MySQL are relatively easy to set up. In addition, MySQL's replication engine allows for general synchronization of information across databases. However, a large number of computers also means high costs for maintaining equipment, network infrastructure and hosting.
Power, communication lines, network and delivery service failures
Internet dependence means dependence on many interconnected service providers, so if the connection with the rest of the world suddenly breaks down, there is nothing to do but wait for it to be restored. The same applies to power outages and strikes or other power outages and strikes or other disruptions to the delivery company.
If you have a sufficient budget, you can deal with several service providers. This entails additional costs, but ensures uninterrupted operation in the event of failure of one of them. Extreme power outages can be protected by installing uninterruptible power supplies.

Intense competition
If you open a kiosk on the street, assessing the competitive environment is not particularly difficult - competitors will be everyone who sells the same product within sight. In the case of e-commerce, the situation is somewhat more complicated.
Depending on shipping costs, currency fluctuations and differences in labor costs, competitors may be located anywhere. The Internet is a highly competitive and rapidly developing environment. In popular business sectors, new competitors emerge almost daily.
Competition risk is difficult to assess. Here the most correct strategy is to support the current level of technology.

Software errors
When a business depends on software, it is vulnerable to bugs in that software.

The likelihood of critical failures can be minimized by installing reliable software, testing after each replacement of faulty hardware, and employing formal testing procedures. It is very important to accompany any innovations to the system with thorough testing.
To reduce the damage caused by software failures, you should promptly back up all data. When making any changes, you must save the previous program configurations. To quickly detect possible malfunctions, constant monitoring of the system is required.

Changes in tax policy
In many countries, e-business activities are not defined or not sufficiently defined by law. However, this situation cannot persist forever, and the settlement of the issue will lead to a number of problems that could lead to the closure of some enterprises. In addition, there is always the danger of higher taxes.
These problems cannot be avoided. In this situation, the only reasonable course of action would be to carefully monitor the situation and bring the enterprise’s activities in accordance with the law. The possibility of lobbying for your own interests should also be explored.

Limited system capacity
At the system design stage, you should definitely consider the possibility of its growth. Success is inextricably linked to loads, so the system must allow for equipment expansion.
Limited performance gains can be achieved by replacing hardware, but the speed of even the most advanced computer has a limit, so the software must provide the ability to distribute the load across multiple systems when the specified limit is reached. For example, a database management system must be able to process requests from multiple machines simultaneously.
System expansion is not painless, but timely planning at the development stage allows you to foresee many troubles associated with an increase in the number of clients and prevent them in advance.

Conclusion
Although connecting to the Internet provides enormous benefits due to access to a colossal amount of information, it is also dangerous for sites with low security levels. The Internet suffers from serious security problems that, if ignored, can spell disaster for unprepared sites. Errors in the design of TCP/IP, the complexity of host administration, vulnerabilities in programs, and a number of other factors together make unprotected sites vulnerable to the actions of attackers.
Organizations must answer the following questions to properly consider the security implications of Internet connectivity:
Can hackers destroy internal systems?
Could an organization's important information be compromised (modified or read) while being transmitted over the Internet?
Is it possible to interfere with the work of the organization?
These are all important questions. There are many technical solutions to combat major Internet security problems. However, they all come at a price. Many solutions limit functionality in order to increase security. Others require significant compromises to be made regarding the ease of use of the Internet. Still others require the investment of significant resources - working time to implement and maintain security and money to purchase and maintain equipment and programs.
The purpose of an Internet security policy is to decide how an organization is going to protect itself. A policy usually consists of two parts - general principles and specific operating rules (which are equivalent to the specific policy described below). General principles guide the approach to Internet security. The rules determine what is allowed and what is prohibited. The rules may be supplemented by specific procedures and various guidelines.
It is true that there is a third type of policy that appears in the Internet security literature. This is a technical approach. In this publication, the technical approach will be understood as analysis that helps to implement the principles and rules of the policy. It is generally too technical and complex for organizational management to understand. Therefore, it cannot be used as widely as policy. However, it is indispensable when describing possible solutions, identifying trade-offs that are a necessary element in describing policy.
For Internet policies to be effective, policymakers must understand the tradeoffs they will have to make. This policy should also not conflict with other governing documents of the organization. This publication attempts to provide technical professionals with the information they will need to explain to Internet policymakers. It contains a preliminary design of the policy, on the basis of which specific technical decisions can then be made.
The Internet is an important resource that has changed the way many people and organizations operate. However, the Internet suffers from serious and widespread security problems. Many organizations have been attacked or probed by attackers, causing them to suffer heavy financial losses and lose their prestige. In some cases, organizations were forced to temporarily disconnect from the Internet and spent significant amounts of money troubleshooting host and network configuration issues. Sites that are unaware or ignore these issues put themselves at risk of online attack by malicious actors. Even those sites that have implemented security measures are exposed to the same dangers due to the emergence of new vulnerabilities in network programs and the persistence of some attackers.
The fundamental problem is that the Internet was not designed to be a secure network. Some of its problems in the current version of TCP/IP are:
The ease of intercepting data and falsifying addresses of machines on the network - the bulk of Internet traffic is unencrypted data. Emails, passwords and files can be intercepted using easily accessible programs.
Vulnerability of TCP/IP tools - a number of TCP/IP tools were not designed to be secure and can be compromised by skilled attackers; the tools used for testing are especially vulnerable.
Lack of policy - many sites are unknowingly configured in such a way that they provide wide access to themselves from the Internet, without taking into account the possibility of abuse of this access; Many sites allow more TCP/IP services than they need to operate and make no attempt to restrict access to information about their computers that could help attackers.
Difficult to configure—host access controls are complex; It is often difficult to correctly configure and verify the effectiveness of installations. Tools that are incorrectly configured by mistake may result in unauthorized access.

List of used literature
1. Materials from the information technology server - http://www. citforum.ru
2. What is e-commerce? V. Zavaleev, Center for Information Technologies. http://www.citforum.ru/ marketing/articles/art_1.shtml
3. http://www.proms.ru/book-wicommerce_theory.html
4. Kantarovich A.A., Tsarev V.V. Textbooks for universities: Electronic commerce 2002, 320 Pages.

| To the list of publications

Ensuring information security of trade enterprises, retail networks and their infrastructure

Current trends in the development of trade in Russia lead to the consolidation of companies by increasing the number of enterprises in their composition, consolidating the assets of various operators, conducting mergers and acquisitions, and creating network distribution centers. As a result, the requirements for information technology and their importance in organizing trade are growing. Processing information flows in any company requires high speed and absolute accuracy.

Fig.1. The main information flows circulating in the management system of a network company

Managing a modern store, wholesale trade enterprise and distribution network involves the use of automated systems for integrated trade, warehouse and accounting. Today, managers make management decisions based on data obtained from information systems. Thus, whatever the structure of the company, accounting for contracts, movements of inventory, cash and accounting must be carried out in a single information space.

In order to automate the management of the trading process, an information system is created at the enterprise, which may include:

Data into the information system comes from company personnel and from distributors’ office systems. In the future, they are used for operational management of the enterprise, control and analysis of the activities of the company as a whole, regional offices and distributors. Consumers of information network data are managers and executives of the company and distributors. Figures 1 and 2 show the main information flows circulating in the management system of a trading enterprise (trade network), showing their main sources and consumers.

To make strategic management decisions, it is imperative for the head of an enterprise, financial director, chief accountant, and senior managers to present a complete picture of the state of the enterprise and its development trends (Fig. 1.).

At their workplaces in the accounting department, on the sales floor, in the warehouse, workers deal only with individual fragments of the general information flow. Their tasks and functions, as a rule, come down to processing and recording the receipt and consumption of goods, issuing invoices, working on a cash register, etc. (Fig. 2.).

Considering the risks of trading enterprises and the vulnerability of information systems, it seems irresponsible to take an approach in which the company reacts to events after the fact, i.e. after they happen. It follows that the company must create an information security system. It is one of the main elements of the control system.

Stopping the operation of an information system can cause irreversible consequences for a business. Thus, according to the insurance company Gerling, if the information system is completely stopped, trading companies can only exist for 2.5 days, and for manufacturing enterprises without a continuous production cycle, this figure is 5 days.

The initial data for creating an effective information security system should be clear ideas about its goals and structure, the types of threats and their sources, and possible countermeasures.

Sources of threats can be external and internal.

Fig.2. Data exchange system for employees of various departments of a retail enterprise or retail chain

External threats most often come from competitors, criminal groups, and corrupt officials within the legal and administrative authorities. The actions of external threats can be aimed at passive storage media, the removal of information during the exchange process, the destruction of information or damage to its storage media. Threats can be directed at company personnel and be expressed in the form of bribery, threats, blackmail, prying out information in order to obtain information constituting a trade secret, or involve luring away leading specialists, etc.

Insider threats pose the greatest danger. They can come from incompetent managers, unscrupulous and unskilled personnel, embezzlers and fraudsters, and outdated means of production. Individual employees with a high level of self-esteem, due to dissatisfaction with their ambitions (salary level, relationships with management, colleagues, etc.), may proactively give out commercial information to competitors, try to destroy important information or passive media, for example, introduce a computer virus.

Damage to information resources can be caused by:

The main sources of information are: people, documents, publications, technical media, technical means, products and waste.

The main ways to obtain unauthorized information are:

The relevance of the problem of taking measures to ensure information security can be illustrated by the following examples:

Thus, business leaders must understand the importance of information security and learn to anticipate and manage future trends. Effective operation of security systems should be a top priority for the entire enterprise.

Main directions of information protection:

The implementation of an information security program should be carried out on the basis of the integrated use of security systems and tools based on the premise that it is impossible to ensure the required level of security using only one separate tool or measure, or a simple combination of them. Their systemic coordination is necessary. In this case, the implementation of any threat can affect the protected object only if all levels of protection are overcome.

The security of any e-commerce system as a whole lies in protection from various types of interference in its data. All these interventions can be divided into several categories:

· data theft (for example, theft of credit card numbers from a database);

· interference (for example, data overload of a site not intended for such a large amount of information);

· distortion of data (for example, changing amounts in payment and invoice files or creating non-existent certificates or sites for pumping information going to a specific site);

· destruction of data (for example, during transmission from the site or to the site from the user);

· refusal of the actions taken (for example, from the fact of placing an order or receiving the goods);

· unintentional misuse of site facilities by a bona fide user;

· unauthorized access to information:

· unauthorized copying, updating or other use of data;

· unauthorized transactions;

· unauthorized viewing or transmission of data (for example, displaying real names of visitors instead of nicknames in a chat room or forum).

At the same time, one cannot fail to take into account that in matters of security in this area there are a number of objective problems of a legal nature - technologies are developing much faster than the legislative framework, it is difficult to catch an attacker in the act of a crime, and evidence and traces of crimes can easily be destroyed without a trace. All this makes it necessary for companies to carefully develop a policy for protecting their electronic business. Complete and absolute security is unattainable because e-business systems are built on a variety of off-the-shelf and custom software applications from various vendors and a significant number of external services provided by service providers or business partners. A significant part of these components and services are usually opaque to IT specialists of the customer company; in addition, many of them are often modified and improved by their creators. It is impossible to thoroughly check all of these for potential security defects, and it is even more difficult to eliminate all of these defects. And even if this were possible, the so-called human factor cannot be excluded, since all systems are created, changed and managed by people, and according to research by the Computer Security Institute, 81% of respondents noted that the greatest concern for companies is the internal threat - intentional or unintentional actions of their own employees.

There are two aspects to the problem of protection against internal threats: technical and organizational. The technical aspect is the desire to eliminate any possibility of unauthorized access to information. For this purpose, such well-known means are used as:

maintaining passwords and changing them regularly; providing the minimum rights necessary to administer the system;

Availability of standard procedures for timely change of access group during personnel changes or immediate destruction of access upon dismissal of an employee.

The organizational aspect is to develop a rational internal security policy that turns into routine operations such rarely used methods of protecting and preventing hacker attacks by companies as:

· introduction of a general safety culture in the company;

· software testing for hacking;

· tracking every hacking attempt (no matter how successful it is) and thoroughly investigating it;

· annual training for staff on security and cybercrime issues, including information on specific signs of hacker attacks, to maximize the number of employees who have the ability to detect such activity;

· introduction of clear procedures for handling cases of unintentional change or destruction of information.

To protect against external intrusion, today there are many systems that are essentially different kinds of filters that help identify hacking attempts at the early stages and, if possible, prevent an attacker from entering the system through external networks.

· routers - network traffic management devices located between second-order networks and managing incoming and outgoing traffic of network segments connected to it;

· firewalls - means of isolating private networks from public networks using software that monitors and suppresses external attacks on the site using certain control over the types of requests;

application gateways are the means by which the network administrator implements the security policy that guides routers that perform packet filtering;

· Intrusion Detection Systems (IDS) - systems that detect intentional attacks and unintentional misuse of system resources by users;

· security assessment tools (special scanners, etc.) - programs that regularly scan the network for problems and test the effectiveness of the implemented security policy.

In general, the first thing a company should do is figure out what should be protected and from whom. The main players in this field are the company's shareholders, consumers, employees and business partners, and for each of them it is necessary to develop their own protection scheme. All security requirements must be documented to serve as guidance for all implementations of e-commerce applications and their security measures across the company's various business lines. In addition, this will allow you to create a separate budget for servicing security problems within the company and optimize costs for these needs, eliminating the duplication of any security issues when developing each individual business project.

Unfortunately, today’s practice is such that the security policy is left to the management of the IT department, whose employees believe that technological issues are more important than some kind of “paper” instructions, and, moreover, are not specialists in certain areas of business that also require clear protection procedures within the company.

In addition, when pairing different software, specific problems may arise that are not known to the manufacturers of each of the integrated products. Research into such interactions should precede any technological and budgetary decisions. And so far too little attention has been paid to this.

There are several types of e-commerce threats:

Penetration into the system from the outside.

Unauthorized access within the company.

Deliberate interception and reading of information.

Intentional disruption of data or networks.

Incorrect (for fraudulent purposes) user identification.

Hacking hardware and software protection.

Unauthorized user access from one network to another.

Virus attacks.

Denial of service.

Financial fraud.

To counter these threats, a number of methods based on various technologies are used, namely: encryption - encoding data that prevents it from being read or distorted; digital signatures that verify the identity of the sender and recipient; stealth technologies using electronic keys; firewalls; virtual and private networks.

No method of protection is universal; for example, firewalls do not check for viruses and are unable to ensure data integrity. There is no absolutely reliable way to counteract hacking of automatic protection, and it is only a matter of time before it is hacked. But the time it takes to break such protection, in turn, depends on its quality. It must be said that software and hardware to protect connections and applications on the Internet have been developed for a long time, although new technologies are being introduced somewhat unevenly.

What threats await a company conducting e-commerce at each stage:

Substitution of the web page of the electronic store server (redirection of requests to another server), making information about the client, especially about his credit cards, available to third parties;

Creation of false orders and various forms of fraud on the part of employees of an electronic store, for example, manipulation of databases (statistics show that more than half of computer incidents are associated with the activities of their own employees);

Interception of data transmitted over e-commerce networks;

Penetration of attackers into the company’s internal network and compromise of electronic store components;

Implementation of denial of service attacks and disruption of the functioning or disabling of an e-commerce node.

As a result of the implementation of such threats, the company loses customer trust, loses money from potential and/or imperfect transactions, the activity of the electronic store is disrupted, and spends time, money and human resources on restoring functioning.

Of course, the threats associated with the interception of information transmitted via the Internet are not limited to the e-commerce sector. Of particular importance in relation to the latter is the fact that its systems contain information of great economic importance: credit card numbers, account numbers, contents of contracts, etc.

Securing e-commerce

Ensuring security is not only a necessary condition for successful electronic business, but also the foundation for trusting relationships between counterparties. The very essence of e-business involves active information exchange and transactions through an unprotected public network, which are simply impossible without trusting relationships between business entities. Therefore, ensuring security is complex, including tasks such as access to Web servers and Web applications, authentication and authorization of users, ensuring data integrity and confidentiality, implementation of electronic digital signatures, etc.

With the growing commercialization of the Internet, more and more attention is being paid to the protection of information transmitted over the network. Specialized protocols designed to organize secure interaction via the Internet (for example, SET, SOCKS5, SSL, SHTTP, etc.) have received wide recognition throughout the world and are successfully used by foreign developers to create Internet-based banking and trading electronic systems.

Abroad, the problem of information security of e-business is being addressed by an independent consortium - the Internet Security Task Force (ISTF) - a public organization consisting of representatives and experts of companies that supply information security tools, e-business and Internet service providers.

The ISTF identifies twelve areas of information security that should be the primary focus of attention. e-business organizers:

A mechanism for objective confirmation of identifying information;

The right to personal, private information;

Definition of security events;

Protection of the corporate perimeter;

Definition of attacks;

Control of potentially u1086 dangerous content;

Access control;

Administration;

Reaction to events.

It is known that the use of electronic digital signature (EDS) algorithms allows one to reliably protect against many threats, but this is only true if these algorithms are woven into well-founded interaction protocols, a legally correct structure of relationships and a logically closed system of trust.

Information security is based on the simple logic of the processes of calculating a digital signature and verifying it with a pair of corresponding keys, however, the logic is based on fundamental mathematical research. Only the owner of the private key can calculate a digital signature, and anyone who has a public key corresponding to the private key can verify it.

Of course, specialists in this field should be involved in ensuring information security, but heads of government bodies, enterprises and institutions, regardless of their form of ownership, who are responsible for the economic security of certain economic entities, must constantly keep these issues in their field of vision. For them, below are the main functional components of organizing a comprehensive information security system:

Communication protocols;

Cryptography tools;

Access control tools for workstations from public networks;

Antivirus complexes;

Attack detection and audit programs;

Tools for centralized management of user access control, as well as secure exchange of data packets and messages of any applications over open networks.

The Internet has long had a number of committees, mostly volunteer organizations, that carefully guide proposed technologies through the standardization process. These committees, which make up the bulk of the Internet Engineering Task Force (IETF), have standardized several important protocols, accelerating their adoption on the Internet.

Protocols such as the TCP/IP family for data communications, SMTP (Simple Mail Transport Protocol) and POP (Post Office Protocol) for email, and SNMP (Simple Network Management Protocol) for network management are direct results of IETF efforts. The type of security product used depends on the needs of the company.

Secure data transmission protocols are popular on the Internet, namely SSL, SET, IP v.6. The listed protocols appeared on the Internet relatively recently, as a necessity to protect valuable information, and immediately became de facto standards.

Unfortunately, in Russia they are still very cautious about the possibility of introducing the Internet into those areas of activity that are related to

transfer, processing and storage of confidential information. Similar

The caution is explained not only by the conservatism of domestic financial structures, which are afraid of the openness and accessibility of the Internet, but, in part, by the fact that most information security software from Western manufacturing companies enter our market with export restrictions regarding the cryptographic algorithms implemented in them. For example, in export versions of software for WWW servers and browsers from manufacturers such as Microsoft and Netscape Communications, there are restrictions on the key length for single-key and double-key encryption algorithms used by the SSL protocol, which does not provide complete protection when working on the Internet.

However, e-commerce applications, in addition to internal threats, are also susceptible to external threats emanating from the Internet. And since it is irrational to assign a separate login ID to each anonymous visitor (since the application does not grow), companies need to use a different type of authentication. In addition, it is necessary to prepare servers to repel attacks. Finally, you should be extremely careful with sensitive data, such as credit card numbers.

Data encryption

The business website processes sensitive information (such as consumer credit card numbers). Transmitting such information over the Internet without any protection can lead to irreparable consequences. Anyone can eavesdrop on the transmission and thus gain access to confidential information. Therefore, data must be encrypted and transmitted over a secure channel. To implement secure data transfer, the Secure Sockets Layer (SSL) protocol is used.

To implement this functionality, you must purchase a digital certificate and install it on your server(s). You can apply for a digital certificate from one of the certification bodies. Well-known commercial certification organizations include: VerySign, CyberTrust, GTE.

SSL is a scheme for protocols such as HTTP (called HTTPS when secure), FTP, and NNTP. When using SSL for data transfer:

Data is encrypted;

A secure connection has been established between the source server and the destination server;

Server authentication is enabled.

When a user submits a credit card number using SSL, the data is immediately encrypted so that a hacker cannot see its contents. SSL is independent of the network protocol.

Netscape's server software also provides authentication—certificates and digital signatures—certifying the user's identity and message integrity and ensuring that the message has not changed its route.

Authentication involves confirming the user's identity and digital signature to verify the authenticity of documents involved in information exchange and financial transactions. A digital signature is data that can be attached to a document to prevent forgery.

Intrusion Detection

Intrusion Detection Systems (IDS) can identify patterns or traces of attacks and generate alarms for

alert operators and encourage routers to terminate connections to sources of illegal intrusion. These systems can also prevent attempts to cause denial of service.

Description of work

The purpose of this work is to study the concept of e-commerce and consider issues of information security of e-commerce.
Tasks:
- define e-commerce;
- consider its main elements, types, positive and negative aspects;
- consider the main types of threats and the main ways to ensure e-commerce security.

Information security of electronic commerce (EC)

The number of Internet users has reached several hundred million and a new quality has emerged in the form of a “virtual economy.” In it, purchases are made through shopping sites, using new business models, their own marketing strategy, etc.

Electronic commerce (EC) is a business activity for selling goods via the Internet. As a rule, there are two forms of EC:

* trade between enterprises (business to business, B2B);

* trade between enterprises and individuals, i.e. consumers (business to consumer, B2C).

EC has given rise to such new concepts as:

* Electronic store - display window and trading systems that are used by manufacturers or dealers when there is demand for goods.

* Electronic catalog – with a large assortment of products from various manufacturers.

* An electronic auction is an analogue of a classic auction using Internet technologies, with a characteristic connection to a multimedia interface, an Internet access channel and display of product features.

* An electronic department store is an analogue of a regular department store, where ordinary companies display their goods, with an effective product brand (Gostiny Dvor, GUM, etc.).

* Virtual communities (communities), in which buyers are organized by interest groups (fan clubs, associations, etc.).

Internet in the field of EC brings significant benefits:

* savings for large private companies from transferring purchases of raw materials and components to Internet exchanges reaches 25 - 30%;

* participation in the auction of competing suppliers from around the world in real time leads to a reduction in the prices they have programmed for the supply of goods or services;

* increasing prices for goods or services as a result of competition from buyers from all over the world;

* savings by reducing the number of required employees and the volume of paperwork.

The dominant position in EC in Western countries has become the B2B sector, which by 2007, according to various estimates, will reach from 3 to 6 trillion. dollars. The first to benefit from the transfer of their business to the Internet were companies selling hardware and software and providing computer and telecommunications services.

Each online store includes two main components:

electronic storefront and trading system.

The electronic storefront contains information about the goods sold on the Web site, provides access to the store database, registers customers, works with the buyer’s electronic “basket,” places orders, collects marketing information, and transmits information to the trading system.

The trading system delivers the goods and processes payment for them. A trading system is a collection of stores owned by different companies that rent space on a Web server owned by a separate company.

Online store operating technology as follows:

The buyer selects the desired product on an electronic storefront with a catalog of goods and prices (Web site) and fills out a form with personal data (full name, postal and email addresses, preferred method of delivery and payment). If payment is made via the Internet, then special attention is paid to information security.

Transfer of completed goods to the trading system of the online store,

where the order is completed. The trading system operates manually or automatically. The manual system operates according to the Posyltorg principle, when it is impossible to purchase and set up an automated system, as a rule, when the volume of goods is small.

Delivery and payment of goods. Delivery of goods to the buyer is carried out

in one of the possible ways:

* store courier within the city and surrounding areas;

* specialized courier service (including from abroad);

* pick up;

* such specific information is delivered via telecommunications networks

product as information.

Payment for goods can be made in the following ways:

* preliminary or at the time of receipt of the goods;

* cash to the courier or when visiting a real store;

* by postal transfer;

* Bank transaction;

* cash on delivery;

* using credit cards (VISA, MASTER CARD, etc.);

through electronic payment systems through individual commercial

banks (TELEBANK, ASSIST, etc.).

Recently, e-commerce or trade via the Internet has been developing quite rapidly in the world. Naturally, this process

carried out with the direct participation of financial institutions. And this method of trading is becoming increasingly popular, at least where the new electronic market can be used by a large part of businesses and the population.

Commercial activities on electronic networks remove some physical restrictions. Companies connecting their computer systems to

Internet, are able to provide customers with support 24 hours a day without holidays and weekends. Orders for products can be accepted at any time from anywhere.

However, this “coin” has its other side. Abroad, where e-commerce is most widely developed, transactions or the cost of goods are often limited to $300-400. This is due to the insufficient solution to information security problems in computer networks. According to the UN Committee on Crime Prevention and Control, computer crime has reached the level of one of the international problems. In the United States, this type of criminal activity ranks third in terms of profitability after arms and drug trafficking.

The volume of global e-commerce turnover via the Internet in 2006,

According to forecasts by Forrester Tech., it could range from 1.8 to 2 trillion. dollars. Such a wide forecast range is determined by the problem of ensuring the economic security of e-commerce. If security levels remain at current levels, global e-commerce turnover may be even smaller. It follows that it is the low security of the e-commerce system that is a limiting factor in the development of e-business.

Solving the problem of ensuring the economic security of e-commerce is primarily associated with solving the issues of protecting information technologies used in it, that is, ensuring information security.

The integration of business processes into the Internet environment leads to a fundamental change in the security situation. The creation of rights and responsibilities based on an electronic document requires comprehensive protection from the entire range of threats, both the sender of the document and its recipient. Unfortunately, managers of e-commerce enterprises are duly aware of the seriousness of information threats and the importance of organizing the protection of their resources only after the latter are subject to information attacks. As you can see, all of the listed obstacles relate to the field of information security.

The basic requirements for conducting commercial transactions include confidentiality, integrity, authentication, authorization, guarantees and secrecy.

When achieving information security, ensuring its availability, confidentiality, integrity and legal significance are basic tasks . Each threat must be considered in terms of how it might affect these four properties or qualities of secure information.

Confidentiality means that restricted information should only be accessible to those for whom it is intended. Under integrity information is understood as its property of existence in an undistorted form. Availability information is determined by the system’s ability to provide timely, unimpeded access to information to subjects who have the appropriate authority to do so. Legal significance information has become important recently, along with the creation of a regulatory framework for information security in our country.

If the first four requirements can be met by technical means, then the fulfillment of the last two depends on both technical means and the responsibility of individuals and organizations, as well as on compliance with laws that protect consumers from possible fraud by sellers.

As part of ensuring comprehensive information security, first of all, it is necessary to highlight the key problems in the field of electronic security business which include:

protection of information during its transmission via communication channels; protection of computer systems, databases and electronic document management;

ensuring long-term storage of information in electronic form; ensuring transaction security, confidentiality of commercial information, authentication, intellectual property protection, etc.

There are several types of e-commerce threats:

 Penetration into the system from the outside.

 Unauthorized access within the company.

 Intentional interception and reading of information.

 Intentional disruption of data or networks.

 Incorrect (for fraudulent purposes) identification

user.

 Hacking of software and hardware protection.

 Unauthorized user access from one network to another.

 Virus attacks.

 Denial of service.

 Financial fraud.

Which threats are lying in wait for an e-commerce company at every stage :

 substitution of the web page of the electronic store server (redirection of requests to another server), making information about the client, especially about his credit cards, available to third parties;

 creation of false orders and various forms of fraud on the part of employees of an electronic store, for example, manipulation of databases (statistics show that more than half of computer incidents are related to the activities of their own employees);

 interception of data transmitted over e-commerce networks;

 penetration of attackers into the company’s internal network and compromise of electronic store components;

Popular

My dream house presentation for a lesson on the topic

« 1. Justification of the problem and need that has arisen. I have always dreamed of having my own home. And for this I began to think about how and what it could be built from.... »

What causes diarrhea in goslings and how to treat it

« Kira StoletovaA common occurrence on the farm, diarrhea in goslings requires special attention from humans. White diarrhea or dark colored stools... »

What is it like to work in companies such as H&M, Pull&Bear, Bershka?

« The Inditex group includes 8 brands: Zara, Pull&Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Zara Home and Uterqüe. We have more than 6,700 stores in... »