Literature Review on E-Commerce Security Risk Reduction

The purpose of this research study is to collect empirical studies and information regarding the use of security in E-commerce, and the failures that have led to innovation and the continued need for improvements within the security industry.  The participants in this research literature review were various businesses from various industries within the industrial cities across the United States of America to show incentives for implementation of security features. Cyber criminals never stop working. They are always working on new ways and methods to carry out their attacks. As a result, the security measures for online retailers and merchants in various e-commerce platforms should not be an ongoing process. Online providers of payments as well various other related services should ensure that both old and new merchants are properly updated with respect to the highly dynamic online security environment. Ideally, there should be close focus on cyber crime trends so as all the stakeholders facilitating the various forms of online retailing services get timely awareness and protection against every new technique by cyber criminals. This literature review reflects upon the major determiners of insecurity in e-commerce, highlighting the scope as well as the findings from the investigation of the current nature and level of cyber crime. The literature review also features some recommendations, referring to the conclusions drawn from the failures of past systems and the lessons learned from such occurrences.

E-Commerce Security Risk Reduction

The purpose of this literature review is to collect information about current e-commerce security programs and recommend improvements for future implementation and use. This literature review seeks to explain ways to improve e-commerce security to improve customer trust.  As globalization has created new opportunities for businesses to expand and grow, so has the need to increase security among the most common of applications used in the modern day world: the internet.  In this day and age and with the evolution of technology, most companies are beginning to expand their products and services through offering clients e-commerce.  E-commerce has allowed for ideas, people, and enterprises to spread and grow exponentially in the last decade, but with that growth has come new and unforeseen security risks in the business sector.  By offering goods online, through the World Wide Web, businesses are able to increase their sales, revenue, and subsequently, profits; however, although the idea of e-commerce may be attractive, there needs to be many safeguards in place for e-commerce to be an asset and not a detriment to a business’s sustainability.  After all, customer care is one of the main objectives for businesses performing their own internal SWOT analysis, which analyzes strengths, weaknesses, opportunities, and threats.  In other words, although businesses that provide e-commerce could be providing their customers with services more efficiently, the lack of security could not only put the business transaction at risk, but the lack of safety measures could put the clients’ private information at risk for identity theft—among other jeopardizes.  User privacy is, and will remain, one of the mandatory features in e-commerce in the modern day world, and focusing on it is in the best interest of all businesses ethically as well as legally.  As businesses expand, and as new business transaction methods arise, e-commerce security risks should be the main focus of companies vying to attain customer confidence.

Most times, the proprietors of many e-commerce businesses make an error by assuming that the financial liability occurring as a result of cyber crime and fraud falls on the provider of the merchant account (Ward, 2010). Additionally, they fail to realize that according to the provisions of the industry, most merchants are only responsible for just confirming the identities of the online transaction initiators. In most online retail business transactions, card network, address verification, and verification of card code are the only measures applied in ascertaining a transaction’s legitimacy (PGP Corporation, 2015). In light of the above, it is crucial for online retailers and shoppers to be aware that cyber crime in terms of payment fraud happens almost every day and using the above means to authenticate the use of a card is not sufficient enough to guarantee that the holder is the genuine owner or holder of the card.

Methodology

            This literature review introduces the history of hacking and how past mistakes can also become part of the solution to prevent future cyber-attacks on e-commerce security programs.  Hackers and internet “phishing” are not uncommon terms in the modern day world, as technology has proliferated globally.  According to contributor, Jake Rocheleu (2012) of internet security blog, HongKiat, explains that  “…[Most companies especially big brands have setup their own e-commerce sites with several payment options offered for secure online shopping and transaction. However, what we heard almost every day is transaction security issue like phishing scam happening all around the world.”  Businesses of all kinds, from all industries, have experienced e-commerce security risks with results that have ranged from the estrangement of customers and clients to complete destruction of the companies.  In fact, hacking has become an industry unto itself—from getting into e-mails to retrieving personal information of private citizens.  The internet is, after all, man-made, and thus, it has flaws.  Although flaws exist, there are various ways to ensure customer security, which is to deal with hacker programs and hackers themselves.

As a part of the methodology, the background of the issues with cyber security in e-commerce will be understood through first understanding how viruses within computer programs began.  The first computer virus was created in 1982, which was the first time an individual gained entry into programs that he was not authorized access to originally—otherwise known as “hacking.”  According to Forbes Magazine contributor, Gordon Kelly (2014), the creation of this virus has led to many forms of computer worms, Trojan horses, and other variations of viruses over the past few decades.  For example:

In 1982 Skrenta coded what he called “Elk Cloner,” [for Apple Corporation] a virus that spread via floppy disks in the days before computers had hard drives, or for that matter, any security measures. The virus infected thousands of machines, but was harmless: It merely displayed a poem across the user’s screen. An excerpt: “It will get on all your disks/it will infiltrate your chips/Yes, it’s Cloner!” (Kelly, 2014)

From that one virus, Leap-A was created by Apple Corporation—also just conceptually checking to see if viruses could, indeed, jump computer to computer (albeit, it did not steal any information and was simply created to observe how worms worked).  Charlie Miller then showed the world how the iPhone could be compromised in 2007, and Apple took notice and fixed the issue soon thereafter (Kelly, 2014). Other hackers have since created programs through coding which has gained world attention to the security risks in applications they once trusted:

“Six months after Charlie Miller first hacked the iPhone, he won the Pwn2Own competition at the CanSecWest security conference in Vancouver by hacking the just-released MacBook Air in two minutes. (Finding the vulnerability in Safari that he used and writing an exploit, of course, took many hours more of preparation.) Miller went on to hack MacBooks at the Pwn2Own competition for the next two years, cementing his reputation as the world’s leading Mac hacker.” (Kelly, 2014)

Recently in the news, there have been many instances of hackers getting into companies’ systems and attaining private client information that has shocked the world. For example:

Most troubling is the database was compromised between late February and early March and was not detected until two weeks ago. The hackers gained access to information including eBay customers’ names, their encrypted passwords, email, registered addresses, phone numbers and date of birth” (Kelly, 2014).

Therefore, even a large company such as eBay, which uses PayPal as its main form of payment transaction, was compromised by hackers. Although eBay promised customers that it kept sensitive information on a separate database, it was true that the hackers gained access to many eBay customers’ accounts—which led to purchases made.  Ultimately, hacking has become its own industry—with key players and celebrities just as technology has made Silicon Valley famous.  Although applications, programs, and cyber security has increased for many companies, as new programs are created, there will always be ways for hackers to get in.  Although hacking has become a nefarious word in the modern day business world due to the damage to companies’ reputations, hackers can also become part of the solutions that could keep harmful intruders out.

Results

The use of cyber attacks can be considered more than simply an attack on businesses and individuals, but it could be understood to be an attack on entire communities and local/ federal economies—thereby making cyber attacks synonymous with terrorism against nations.  According to political science researchers, Alotaibi and Bach (2013), one of the best ways to prevent the use of cyber-terrorism is to train the users—much like training armies against outside threats, to defend themselves.  In this theory, education is the greatest defense against attacks online.  According to the writers, “hyperlinks, navigation bars and sitemaps provide flexible features by allowing user to browse in a non-linear fashion and the ability to jump to different parts of the website without back tracking,” this can also be a feasible way to lower instances of users of websites to focus on their shopping needs instead of toggling between various sites that might pop up during a site visit.  In other words, using the backspace button can create an open space for hackers to infiltrate systems, which websites could avoid by using simple tricks of the trade such as direct links to next features in e-commerce shopping for users.

Along with the new innovations in technology, cyber security hackers have been coming up with new and nefarious ways to attack programs and businesses that cannot be kept up with by traditional security measures due to the way hackers are gaining access.  According to researcher, Sampemani (2014), internal access controls may be the first defense against future attacks from hackers in cyber security, but these systems are difficult to produce because passwords, a necessary feature of authentication and security can be the most vulnerable if users are not aware of the vulnerabilities associated with them.  For example: Keyboard loggers and malware on personal machines can thus be the path to attack enterprise systems.  These devices can be used to infiltrate data, deliberately or accidentally. Even when users are restricted to using corporate-owned and managed devices for work, they still tend to re-use passwords on different systems, and this can provide a vector of attack (Sampemani, 2014, p. 63).  Passwords, that are meant to protect users from cyber attacks, are actually one of the most common ways that hackers break into systems. When users use the same password on many different servers, this creates an obvious trend in codes that hackers recognize.  Passwords, therefore, should be changed often and for different programs that may be used in e-commerce.  For example: “Improved authentication systems, such as having a second factor or one-time passwords, help some, but the vast majority of systems do not use those yet” (Sampemani, 2014, p. 63).  There are solutions, but the current systems that use cyber security measures are not ready to accommodate various passwords for various users.

It is upon every online retailer or business operator in every e-commerce platform to ensure that security management strategies feature in the operations of the business organization on a daily basis. Even without a paid cyber crime expert, it is possible for every e-commerce business organization to establish and undertake effective steps that can efficiently apply in the minimization of online transaction risks. The application of advanced cyber crime management services provides affordable, fast, and flexible fast hand risk insurance. The above helps even the smallest retailers to effectively integrate real-time and sophisticated risk assessment practices necessary for the risk free practices.

Scope of the Problem

            Every business organization that deals with the storage of various aspects of personal data including the card information of customers has a tremendous responsibility towards ensuring the security and confidentiality of such information. Ideally, the above consideration is actually vital for consideration not only in online retailing but also in the normal brick-and-mortar business organizations. Many people would wonder why such the security of consumer’s data is that important. Well, in the presence of a security breach, claims of information breach made towards the business organizations from the customers are at times very big and thus jeopardize the profitability of the business at such times. Additionally, the wholesome damage to the online business suffers a huge blow (PGP Corporation 2015). The rationale for the above finds its basis upon the fact that data breaches results to very negative and unwanted publicity that could easily damage the business organization’s brand and public image.

There are currently many theories that could help to identify systems and e-commerce sites that may be most at risk.  Through using mathematical deductions, the businesses and products most at risk can be safeguarded against cyber attacks—thereby limiting the amount of payoff these hackers can incur.  This might just lower the instances of hacker’s altogether—yet another possible solution to the current problems being encountered.  According to economist, Herley (2014), in order to decrease instances of cyber attacks, industries should begin to think like a hacker.  For instance: “… [t]he attacker must then do three things: decide who and what to attack, successfully attack, or get access to a resource, and monetize that access” (Herley, 2014, p. 65).  Furthermore, economists have begun to use math as a way to estimate what hackers will target next.  For instance:

A particular target is clearly not worthwhile if gain minus cost is not positive: G–C> 0. Thus, when attacks are financially motivated, the average gain for each attacker, E{G}, must be greater than the cost, C:E{G} –C> 0.(1)C must include all costs, including that of finding viable victims and of monetizing access to whatever resources [he or she] targets. The gain must be averaged across all attacks, not only the successful ones. If either E {G} →∞ or C= 0, then equation (1) represents no constraint at all.  (Herley, 2014, p. 65).

Therefore, there are ways to currently theories to help judge where hackers will strike next, albeit, the calculations are simple enough: where there is most profit, businesses should safeguard the greatest.

In addition to the application of the above calculations, online retailers have obligations to implement some basic security standards including the following (Ward, 2010):

  • Deploying a sophisticated combination of encryptions and tokens so as to protect the personal data of the online shoppers from ending up in the hands of cyber criminals.
  • Ensuring that all employees facilitating the online transactions, especially those involving card-not-present techniques, are aware of all the associated risks.
  • Enabling vital proactive risk and security measures. The above helps the e-commerce merchants to easily and effectively detect cases of intended or executed cyber crimes. The configuration of strategic cyber crime logic in the early stages of structuring the e-commerce business helps in reducing or avoiding cyber crimes in the future.
  • Participating in webinars, forums and other networking is also advisable since it fosters networking with other online merchants creating the ability to share on how best to combat cyber crime from a common point of view.

Contemporary World Security Risk Issues

Security Issues on New E-Payment Methods

As technological advancement continues to tremendously change and give a new image in almost every industrial sector, the payment methods for online shopping and transactions continue to come up every day. The arising of every new payment method comes from various software as well as hardware technology. The essence of technological advancement is making it easy for the consumers to access and receive various services in their day to day transactions. In the beginning, the only e-payment methods available for online transactions were credit cards and direct bank wire transfers. Most of the times, the above methods failed to meet the customers’ standards due to their inconveniencing nature with respect to the fact that they require the user to fill a lot of personal documents. In light of the above, other convenient methods had to be introduced.

The new online payments methods include online wallets and virtual coins. The concept behind online wallets involves having an account with the company that offers the wallet services. Once a customer has a wallet, they use various methods to load funds to it. Once the customers have some monetary balance in their online wallets, they have the ability to carry out online transactions with everybody who accepts payments from their online wallets (Purewal 2015). On the other hand, instead of using national currencies such as dollars, pounds or shillings, some of the online wallets use virtual currencies. The rationale behind the use of virtual coins finds its basis upon the fact that it is possible to use such a payment method irrespective of the difference in the origins of either party in an online transaction. Good examples of each of the above new e-payment methods include Google Wallet and Bitcoin.

The security issue with respect to the above comes in terms of how the transactions involving the above payment methods happen. With respect to the current technological advancement, it is possible access the services of Google Wallet, Bitcoin, as well as other virtual coin wallets right from the comfort of a Smartphone. Apparently, the Smartphone software developers have come up with the respective apps for the above products for use by Smartphone users. The technique integrated in the above technology used the Near Field Communication, which effectively converts a Smartphone into a bank or a credit card. With the NFC technology in various mobile phone devices, the convenience of online transactions increases in a great way. However, the above technological advancement, as reported by Google, faces a significant risk (Purewal 2015).

According to Google News, the NFC technology is very convenient but is prone to easy compromise due to the ability to apply brute force hacking techniques on Smartphone. According to a renowned security firm company, Zvelo, the use of NFC technique on Smartphones for virtual coin wallet as well as Google Wallet requires the users to enter a PIN to confirm their purchase transactions bought from their phones. The company highlights the fact that the above technique is subject to hacking through exhaustive numerical search cracking. In light of the above, such cracking would enable cyber criminals to use every Google Wallet or virtual wallet enabled Smartphone to carry out online purchase transactions. In light of the above, it is important for the virtual wallet companies as well as the Smartphone manufacturers to come up with the most suitable model to combat the following insecurity issue on the NFC technology. A good way to increase the security of the above payment techniques is through the movement of the PIN verification mode in favor of Secure Devoice (SD), or the chip facilitating the NFC. The rationale for the above finds its basis upon the fact that the PIN security protocol will be a responsibility of the money wallet or banks, and not Google or the Smartphone. The above means that even if cyber criminals brute force a way into a phone, they will not have it easy accessing the financial data stored there (Purewal 2015).

Issues of Hackers Attacking Big Companies

The menace of cyber criminals is not limited to small scale operations only. With the current technological advancements, the cyber criminals have a lot of technological resources to carry out massive hacking operations even to large companies. Successful attack on big companies is one objective of today’s hackers. There is a lot of lucrative information the cyber criminals get from the big companies. However, the companies are subject to tremendous consequences at both the internal and the external levels of operations. To illustrate the above, Sony Pictures Entertainment serves as a good example.

The entertainment company suffered severe cyber attacks in the year 2014 (RBS 2015). The attacks on the company led to the disclosure of critical information such as technical documents, yet to be released movies, personnel records, as well as a lot of other relatively private material. The attack of Sony involved the crippling of the company’s internal network system of computers. According to the reports from the analysis of the attack, the nature of Sony’s attack had a very high similarity to the 2013 attack on other South Korean companies as well as various government servers. Regardless of the identity of the hackers behind Sony or the other Korean companies, the main motivation for cyber criminals attacking big companies is financial data as well as other significantly monetarily valuable data.

The consequences of cyber attacks on big companies are quite tremendous. Such big companies survive majorly upon the dependence on trust from their key stakeholders. Once the stakeholders loose trust, they cease or reduce their involvement with the big companies (RBS 2015). The key stakeholders include customers, investors, and government agencies. The reduction of support from such stakeholders causes negative growth from the companies. Insecurity is one key thing that causes negative opinion upon stakeholders. Apparently, the hugest effect of negativity upon stakeholders is financial downtrend. The above is easily illustrated by the stock market performance of the victim companies. The figure below shows how the stock price of Sony shares plunged after the cyber attack in 2014.

Figure: Sony stock price plunge after the 2014 attack (RBS 2015)

Recommendations on Security Issues

It is suggested that businesses and governments (local, state, and federal) view all threats in the form of cyber attacks as terrorism activities attempting to not only rob industries and companies but also a nation.  Recommendations include addressing the lack of HTML coding that could create greater password abilities of users.  Theories that address the mathematical understandings of profits and gains versus work put in could help to decrease hacking due to the amount of work it would then take to plan, carry out, and implement a hack.  Increased punishments of offenders by creating greater regulations in e-commerce could also help to deter criminals.  Financial and other incentives for hackers to join federal networks and assist federal, state, and local officers and/ or businesses to safeguard systems could also help mitigate the problem.

With the current level of technological advancement, online retailers and online merchants alike have the ability and opportunity to implement optimal cyber crime management procedures by utilizing a couple of the functions stipulated below (Ward, 2010):

  • One way is through the incorporation of a system of automated transaction risk scoring techniques. The above consists of the setting up of specific logics applied in the pursuit of distinguishing normal online transaction behaviors from risky cyber crime related behavior. The cyber crime risk in the above case follows a calculation which finds its basis on multiple relevant security data factors. The scores are calibrated in scale that gives an indication of the level of risk – expected or executed.
  • The other technique involves the use of real-time categorizing and resolution. The provisions of this technique involve the use of a scores measure, just like the method above. With respect to the solution provider of the cyber crime, this technique applies a categorization which calls for the application of manual efforts for the purpose of synchronizing the settlement, authorization, as well as the fulfillment procedures.
  • Additionally, the control of cyber crime greatly thrives under effective implementation of optimal post transaction management practices. The above calls for features such an integrated interface for previewing and reviewing all kinds of transactions happening in the online retail business across all e-commerce platforms. By including a user friendly interface, the users have access to various features and tools that assist the online merchants to understand the original resolutions of every transaction, as well as following up important activities such as performance analysis and the expected reporting. It is necessary for the managers of the various online retail and e-commerce platforms that the lifecycle of cyber crime does not have a definite start or end. In the pursuit of handling cyber crimes in the best way possible, online merchants require databases containing vital records applicable in the follow-up of transaction trends over certain periods of time.
  • Rearranging outdated parameters and cyber crime rules also applies as a way of avoiding the pitfall where online merchants use their resources to configure cyber crime parameters but fail to ensure whether the parameters maintain their relevance as time elapses. Cyber crimes are known to evolve at very rapid rates. As a result, the detecting mechanisms require frequent updating as a measure of maintaining and upholding relevancy. The above means that the parameters for combating cybercrime have to change as often as the cyber crime techniques do.

Finally, the best way to decrease cyber attacks is to educate the public and the consumer about the prevalence of attacks, and the lack of safeguards in place for many systems—not because of the lack of interest and care of businesses to help their consumers, but because viruses are born every day, making it difficult to keep up for most companies (including the federal government).

References

Alotaibi, B., & Bach, C. (2013). Perceived risk of information security and privacy in electronic commerce. International Journal of Advanced Research in Computer Science, 4(3). Retrieved 2015 Mar. 2 from http://eds.b.ebscohost.com.mutex.gmu.edu/ehost/pdfviewer/pdfviewer?vid=8&sid=6c9c22f0-1007-4748-8be3-f59c8ce9a6a1%40sessionmgr111&hid=103

Arnbak, A. Asghari, H., Van Eeten, M., Van Eijk, N.  Security collapse in the HTTP market.  Communications of the ACM, 57 (10), 47-55.  DOI: 10.1145/2660574

Herley, C. (2014). Security, cybercrime, and scale. Communications of the ACM, 57(9), 64-71. DOI: 10.1145/2654847

Kelly, G. (2014, May 21).  EBay suffers massive security breach, all users must change their passwords. Forbes Magazine.  Retrieved 2015 Feb 10 from http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/

PGP Corporation. (2015). Ponemon Study Shows the Cost of a Data Breach Continues to Increase.Prnewswire.com. Retrieved 30 April 2015, from http://www.prnewswire.com/news-releases/ponemon-study-shows-the-cost-of-a-data-breach-continues-to-increase-82585957.html

Purewal, S. (2015). UPDATE: Google Wallet Security Concerns RaisedTechHive. Retrieved 5 May 2015, from http://www.techhive.com/article/249599/google_wallet_security_concerns_raised.html

RBS. (2015). A Breakdown and Analysis of the December, 2014 Sony HackRiskbasedsecurity.com. Retrieved 5 May 2015, from https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

Rocheleu, J. (2012).  Consumer guide to secure online transactions.  HongKiat.  Retrieved 2015 Feb 10 from http://www.hongkiat.com/blog/secure-online-transactions-consumer-guide/

Sam, M., Fazli, M., & Tahir, M. N. H. (2009). Website quality and consumer online purchase intention of air ticket. International Journal of Basic & Applied Sciences, 9(10).

Sampemane, G. (2014). Internal access controls. Communications of the ACM, 58(1), 62-65.

Ward, T. (2010). Strategies for Reducing the Risk of e-Commerce Fraud. Cleveland: First Data Corporation.

 

Before you go, you are invited to support a noble cause on IndieGoGo:
HTML Snippets Powered By : XYZScripts.com