Security Risk Management of E-commerce Systems

Turvariski juhtimine mängib iga süsteemi väljatöötamisel olulist rolli ja see kehtib ka elektrooniliste kaubandussüsteemide kohta. Kuna paljud inimesed kasutavad neid teenuseid, võivad nad kokku puutuda ebaadekvaatsete turvameetmetega ja see on kahjulik nii äritegevusele kui klientidele. Antud lõputöö toob uurimistöö tulemusena välja elektrooniliste kaubandussüsteemide toiminguid, mis on suunatud turvariskide vähendamisele, uurides ja analüüsides Webshop poodi.Antud meetod vaatleb turvariski juhtimise strateegiate hindamist, olles selle eriala ekspertide poolt heaks kiidetud ning ei käsitle mitte ainult elektrooniliste kaubandussüsteemide potentsiaalsete ohtude määratlemist, vaid tagab ka turvariski juhtimise struktureeritud kulgemise. Turvariski juhtimise protsess on esitatud sellisel kujul, et ta on asjakohastele elektrooniliste kaubandussüsteemide osanikele arusaadav.Security risk management is a vital part of any system development including e-commerce systems. As many people rely on these e-services, its inadequate security measures can be experienced, causing great losses to both businesses and customers. This thesis research work proposes a procedure that targets e-commerce system security and suggests the application of a threat-driven approach to security risk management by analysing an e-commerce system Webshop as a case study.This approach provides a useful assessment of the security risk management procedure that is validated by experts in the field. It not only identifies evolving threats to e-commerce systems but allows for a structured flow in security risk management. The risk management process is documented and reported in such a way that is easily understandable by concerned stakeholders of the e-commerce system

Dynamics, robustness and fragility of trust

Trust is often conveyed through delegation, or through recommendation. This makes the trust authorities, who process and publish trust recommendations, into an attractive target for attacks and spoofing. In some recent empiric studies, this was shown to lead to a remarkable phenomenon of *adverse selection*: a greater percentage of unreliable or malicious web merchants were found among those with certain types of trust certificates, then among those without. While such findings can be attributed to a lack of diligence in trust authorities, or even to conflicts of interest, our analysis of trust dynamics suggests that public trust networks would probably remain vulnerable even if trust authorities were perfectly diligent. The reason is that the process of trust building, if trust is not breached too often, naturally leads to power-law distributions: the rich get richer, the trusted attract more trust. The evolutionary processes with such distributions, ubiquitous in nature, are known to be robust with respect to random failures, but vulnerable to adaptive attacks. We recommend some ways to decrease the vulnerability of trust building, and suggest some ideas for exploration.Comment: 17 pages; simplified the statement and the proof of the main theorem; FAST 200

Analysis of Security Vulnerabilities in Web Applications using Threat Modeling

Software security issues have been a major concern to the cyberspace community; therefore, a great deal of research on security testing has been performed, and various security testing techniques have been developed. A security process that is integrated into the application development cycle is required for creating a secure system. A part of this process is to create a threat profile for an application. The present project explains this process as a case study for analyzing a web application using Threat Modeling. This analysis can be used in the security testing approach that derives test cases from design level artifacts

Blockchain-based reputation models for e-commerce: a systematic literature review

The Digital Age is the present, and nobody can deny that. With it has come a digital transformation in various sectors of activity, and e-commerce is no exception. Over the last few decades, there has been a massive increase in its utilization rates, as it has several advantages over traditional commerce. At the same time, the rise in the number of crimes on the Internet and, consequently, the understanding of the risks involved in online shopping has led consumers to become more cautious, looking for information about the seller and taking it into account when making a purchase decision. The need to get to know the merchant better before making a purchase decision has encouraged the creation of reputation systems, whose services play an essential role in today's e-commerce context. Reputation systems act as mechanisms to reduce information asymmetry between consumers and sellers and establish rankings that attest to fulfilling standards and policies considered necessary for shops operating in the digital market. The critical problems in current reputation systems are the frauds and attacks that such systems currently have to deal with, which results in a lack of trust between users. These security and fraud issues are critical because users' trust is commonly based on reputation models, and many of these current systems are not immune to them, thus compromising e-commerce growth. The need for a better and safer model emerges with the development of e-commerce. Through reading the articles and pursuing the answers to the primary questions, blockchain is data register technology to be analysed in order to gain a better acknowledgment of the potential of such technology. More research work and investigation must be done to fully understand how to create a more assertive reputation model. Thus, this study systematizes the knowledge generated by reputation models in E-commerce studies in Scopus, WoS databases, and Google Scholar, using PRISMA methodology. A systematic approach was adopted in conducting a literature review. The need for a systematic literature review came from the knowledge that there are reputation systems that mitigate some of the problems. In addition to identifying some indicators used in reputation models, we also conclude that these models could help provide some insurance to buyers and sellers, with a commitment to being a problem solver, being able to mitigate known problems such as Collusion, Sybil attacks, laundering attacks, and preventing online fraud ranging from ballot stuffing and bad-mouthing. Nevertheless, the results of the present work demonstrate that even though these reputation models still cannot solve all of the problems, attacking one fraud opens the door to an attack. The architecture of the models was identified, with the realization that a few lacks that need to be fulfilled

Flow-based reputation: more than just ranking

The last years have seen a growing interest in collaborative systems like electronic marketplaces and P2P file sharing systems where people are intended to interact with other people. Those systems, however, are subject to security and operational risks because of their open and distributed nature. Reputation systems provide a mechanism to reduce such risks by building trust relationships among entities and identifying malicious entities. A popular reputation model is the so called flow-based model. Most existing reputation systems based on such a model provide only a ranking, without absolute reputation values; this makes it difficult to determine whether entities are actually trustworthy or untrustworthy. In addition, those systems ignore a significant part of the available information; as a consequence, reputation values may not be accurate. In this paper, we present a flow-based reputation metric that gives absolute values instead of merely a ranking. Our metric makes use of all the available information. We study, both analytically and numerically, the properties of the proposed metric and the effect of attacks on reputation values

Security Analysis of Mobile Payments: Direct Carrier Billing

Payments are a compensation for a product or a service received. The funds are transferred from one party (consumer) to another (merchant). Mobile payments are a particular form of electronic payment where a mobile device serves as the key instrument to initiate, authorize or complete a payment. The payment methods have been continuously changing to adjust to cashless trends. Seeking to reach a larger number of customers has promoted the development of different solutions to provide means of payment. With an increasing number of mobile subscribers, mobile solutions such as carrier billing, SMS-based payments, and mobile wallets are gaining importance, permeating different markets, such as public transportation, digital content, advertisements and charity. This thesis investigates and analyses mobile payment solutions. The main purpose is, primarily, to identify and describe the security protocols that occur during the payment transaction. Subsequently, to distinguish the mechanisms utilised to identify and authenticate consumers and the mechanisms providing integrity to the payment data. Additionally, to recognize the possible security threats overlooked during the design and deployment of payment solutions. The analysis and tests carried out showed opportunity areas for the service providers to improve the security level of their services. We found vulnerabilities that jeopardise the integrity and authenticity of transactions from the merchant and consumer sides. The major vulnerabilities found lead to conclude that despite the development of protocols and technologies to strengthen security, an appropriate analysis is required to design and develop secure solutions. Neglecting security requirements in exchange for simplicity could come at a high price for the parties involved in mobile payments, specially, in direct carrier billing