E-Commere Security and Fraud
1. Consider how a hacker might trick people into giving him or her user IDs and passwords to their Amazon.com accounts. What are some of the ways that a hacker might accomplish this? What crimes can be performed with such information?
How?
* Social engineering (For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees) * Phishing (criminal, fraudulent process of attempting to acquire confidential information such as user names, passwords, and credit card details by masquerading as a trustworthy entity such as well-known bank, credit card company, a friend, a large social network, or a telecommunication company. Done thru email or IM. Enter details at a fake website * Keystroke logging (the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
Want shoppers money, confidential information
2. B2C EC sites continue to experience DoS attacks. How are these attacks perpetrated? Why is it so difficult to safeguard against them? What are some of the things a site can do to mitigate such attacks?
Attacker uses specialized software to send flood of data packet to the target computer, with the aim of overloading its resources. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. IP addresses are not useful as an identification credential. Because there is no reliable way to tell where an HTTP request is from, it is very difficult to filter out malicious traffic.
How?
* Social engineering (For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees) * Phishing (criminal, fraudulent process of attempting to acquire confidential information such as user names, passwords, and credit card details by masquerading as a trustworthy entity such as well-known bank, credit card company, a friend, a large social network, or a telecommunication company. Done thru email or IM. Enter details at a fake website * Keystroke logging (the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
Want shoppers money, confidential information
2. B2C EC sites continue to experience DoS attacks. How are these attacks perpetrated? Why is it so difficult to safeguard against them? What are some of the things a site can do to mitigate such attacks?
Attacker uses specialized software to send flood of data packet to the target computer, with the aim of overloading its resources. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. IP addresses are not useful as an identification credential. Because there is no reliable way to tell where an HTTP request is from, it is very difficult to filter out malicious traffic.