While Internet has opened a whole new world of opportunity for interaction and business by removing many trade barriers, it has also opened up new possibilities and means of criminal acts altogether unheard of in the off-line world. Why do people commit crimes online? Perhaps, some of them attempt to gain unauthorised access to other’s money. Some people have fun doing so and there are others who do it to take revenge or to harm others. While the motivation of conducting criminal acts may be the same as in the off-line world, the manner of such criminal acts is unique to the Internet. The vulnerability of the information transmitted over Internet is the root cause of the sprawling of criminal acts over Internet. Both users and vendors become vulnerable to criminal acts that undermine security due to easy accessibility of Internet and easy exploitation of security loopholes in the Internet. These criminal acts can adversely affect Internet users, particularly online vendors and customers. Therefore, it is important that Internet users not only become conversant of such criminal acts but also take suitable measures to counter and avoid becoming victims of these criminal acts. In this article we examine some of the major information security threats to Internet users with particular emphasis on electronic commerce and propose plausible solutions for a safer online experience. The information security threats can be categorised into threats to the users, threats to the vendors, and threats to both users and vendors. Electronic embezzlement, sniffing and spoofing, and denial-of-service attacks are examples of threat to the vendor. Credit card frauds and malicious codes are examples of threats to the users. Cybervandalism and phishing are examples of threats to both users and vendors.
Cybervandalism is defined as an act of intentionally disrupting, defacing, or even destroying a site (Laudon & Traver, 2003). Hacking and cracking are two common forms of cybervandalism. Hacking is an act of unauthorised access to computer systems and information (Laudon & Traver, 2003). Hackers, in general, are computer aficionados excited by the challenge of breaking into corporate and government Web sites. There are three types of hackers, namely, white hats, black hats, and grey hats. White hat hackers are good hackers and are employed by the firms to locate and fix security flaws in their systems. Grey hat hackers are people who think that they are doing some greater good to the society by exposing security flaws in the systems. Black hat hackers are the one with criminal intent. Also known as crackers, black hat hackers pose the greatest threat and act with the intention of causing harm. Sometimes such hackers are merely satisfied by breaking into the files of a Web site. However, some of them a have more malicious intention of committing cybervandalism by intentionally disrupting, defacing, or even destroying the site.
Hacking is widely prevalent in the cyber industry. Recently, the publication of cartoons of Prophet Mohammed in a Danish newspaper angered hackers who then defaced the homepages of hundreds of Danish Web sites on a Saturday (Reddy, 2006). The hacking of Macs’ platform is quite common (Patricks, 2006). Once the intruder gets into the system, the intruder will then be able to cause great damage to the network and its enterprise. This makes the loss of millions of dollars in a split second a high possibility. One such example is that of Network Associates (www.mcafee.com.br), an Internet security firm whose Web sites were defaced by hackers recently. The intruders spattered cyber-graffiti over the Brazilian-based Web sites. They gained access to the Web sites by hacking the company’s host Internet service provider (ISP). But luckily none of the company’s systems or information were damaged.
In e-commerce, information security and privacy are two major threats for a customer to engage in online transactions (Hoffman, Novak, & Peralta, 1999). Currently, most sites that require user login have password protection. However, passwords have many disadvantages (Conway & Koehler, 2000). They are generally chosen poorly, managed carelessly, and often forgotten. This definitely aids hackers who use these shortcomings of users to hack into accounts.
Key Terms in this Chapter
Confidentiality: Refers to the ability to ensure that messages and data are available only to those who are authorised to view them.
SSL: Secure sockets layer certificate. A protocol developed by Netscape for transmitting private documents via the Internet.
NIDS: Network intrusion detection systems. An independent platform which identifies intrusions by examining network traffic and monitors multiple hosts.
Nonrepudiation: Refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. For example, the availability of free e-mail accounts makes it easy for a person to post comments or send a message and perhaps later deny doing so.
PAYPAL: An e-commerce business allowing payments and money transfers to be made through the Internet.
ISP: Internet service provider. A business or organisation that provides to consumers access to the Internet and related services
HIDS: Host based intrusion detection system. HIDS consists of an agent on a host which identifies intrusions by analysing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases), and other host activities and state.
IDS: Intrusion detection system. Generally detects unwanted manipulations to computer systems, mainly through the Internet. The manipulations may take the form of attacks by skilled malicious hackers, or script kiddies using automated tools.
SET: Secure electronic transaction standard. A standard that enables secure credit card transactions on the Internet.