A SURVEY OF E-COMMERCE SECURITY THREATS AND SOLUTIONS
Keywords:e-Commerce, security, user experience
E-commerce security is part of the Web security problems that arise in all business information systems that operate over the Internet. However, in e-commerce security, the dimensions of web security – secrecy, integrity, and availability-are focused on protecting the consumer’s and e-store site’s assets from unauthorized access, use, alteration, or destruction. The paper presents an overview of the recent security issues in e-commerce applications and the usual points the attacker can target, such as the client (data, session, identity); the client computer; the network connection between the client and the webserver; the web server; third party software vendors. Discussed are effective approaches and tools used to address different e-commerce security threats. Special attention is paid to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), phishing attacks, SQL injection, Man-in-the-middle, bots, denial-of-service, encryption, firewalls, SSL digital signatures, security certificates, PCI compliance. The research outlines and suggests many security solutions and best practices.
Aldeen, F., Nasar, K.,Saeed, A.,Maheboob, S. (2018). Digital signature system, Journal of Resource Management and Technology, 2018, 09(02), 14-16.
Alenezi, M., Nadeem, M., Asif, R. (2021). SQL injection attacks countermeasures assessments, Indonesian Journal of Electrical Engineering and Computer Science, 2021, 21 (2), 1121-1131.
Alotaibi, A., Alsuwat , E. (2021). A study on social engineering attacks: phishing attack, International Journal of Recent Advances in Multidisciplinary Research, 2021, 7, 6374-6380.
Apandi, S., Sallim, J., Sidek, R (2020). Types of anti-phishing solutions for phishing attack, IOP Conference Series Materials Science and Engineering, 2020, 769, 012072.
Apple. (2020). Hide My Email for Sign in with Apple. Retrieved on March 5, 2021, from https://support.apple.com/en-us/HT210425
Arai, M. (2015). Development and Evaluation of Secure Socket Layer Visualization Tool with Packet Capturing Function, International Journal of Future Computer and Communication, 2015, 3(3), 06004.
Bache, B. (2014). Cross-Site Request Forgery on Android WebView, IJCSN International Journal of Computer Science and Network, 2014, 3, 119-124.
Bhatti, A., Akram, H., Basit, H.M. (2020). E-commerce trends during COVID-19 Pandemic, International Journal of Future Generation Communication and Networking, 2020, 13, 1449–1452.
Bhavsar, V., Kadlak, A., Sharma, S. (2018). Study on Phishing Attacks, International Journal of Computer Applications, 2018, 182(33), 27-29.
Boydand, S., Keromytis, A. (2004). SQLrand: Preventing SQL Injection Attacks, Applied Cryptography and Network Security, ACNS 2004, Lecture Notes in Computer Science, vol. 3089. Springer, Berlin, 292-302.
Bulgarian government requirements. (2019). Ordinance on the minimum requirements for network and information security. Retrieved on March 5, 2021, from https://www.mtitc.government.bg/sites/default/files/nar_minimalnite_iziskvaniq_mrejova_info_sigurnost-072019.pdf (in Bulgarian)
Calzavara, S., Conti, M., Focardi, R., Rabitti A., Tolomei, G. (2020). Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery, IEEE Security and Privacy Magazine, 2020, 18(3), 8-16.
Chen, D., Yan, Q., Wu C., Zhao, Z. (2021). SQL Injection Attack Detection and Prevention Techniques Using Deep Learning, Journal of Physics: Conference Series, 2021, 1757, 012055.
Dastres, R., Soori, M. (2020, October). Secure Socket Layer in the Network and Web Security, World Academy of Science, Engineering and Technology, International Journal of Computer and Information Engineering, 2020, 14(1), 330-333.
Devi, O., Vallabhaneni S., Hussain, M. ,Kumar, T. (2020). Security Analysis on Remote Authentication against Man-in-the-MiddleAttack on Secure Socket Layer, IOP Conference Series: Materials Science and Engineering, 2020, 981, 022015.
Dzhangarov, A., Suleymanova, M. (2020). Electronic digital signature, IOP Conference Series: Materials Science and Engineering, 2020, 862, 052054.
Fox, D. (2012). Cross-Site Scripting (XSS), Datenschutz und Datensicherheit – DuD, 2012, 36, 840.
Google Application Security. (2021). Cross-site scripting. Retrieved on April 10, 2021, from https://www.google.com/about/appsecurity/learning/xss/
Google Chrome. (2021). Cookie Prefixes Sample. Retrieved on March 3, 2021, from https://googlechrome.github.io/samples/cookie-prefixes/
Halfond, W. G., Viegas, J., Orso, A. (2006). A Classification of SQL-Injection Attacks and Countermeasures, IEEE, Computer science, 2006, 5969227.
IBM. (2021). Password encryption. Retrieved on March 4, 2021, from https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzahy/rzahypwdencrypt.htm
Iliev, A., Kyurkchiev, N., Rahnev, A., Terzieva, T. (2019). Some models in the theory of computer viruses propagation, LAP LAMBERT Academic Publishing, 2019, ISBN: 978-620-0-00826-8.
Imperva. (2021). Bots. Retrieved on March 5, 2021, from https://www.imperva.com/learn/application-security/what-are-bots/
Itgovernance. (2021). Phishing attacks and how to avoid them. Retrieved on March 3, 2021, from https://www.itgovernance.co.uk/phishing
Laravel. (2021). CSRF Protection. Retrieved on March 2, 2021, from https://laravel.com/docs/8.x/csrf#csrf-introduction
Lasheen, I. (2018). Digital signature in E-Commerce security, Middle East Journal for Scientific Publishing, 2018, 1(1), 26-34.
Magento. (2021). Magento's Approach to PCI Compliance. Retrieved on March 4, 2021, from https://magento.com/pci-compliance
Manna, M.,Hussein, R (2016). Preventing Cross-Site Scripting Attacks in Websites, Asian Journal of Information Technology, 2016, 15(16), 2797-2804.
Mohammadi, M., Chu, B., Lipford, H. (2019). Automated Repair of Cross-Site Scripting Vulnerabilities through Unit Testing, 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2019, 370-377.
Mozilla Web Security. (2021). Web Security. Retrieved on April 10, 2021, from https://developer.mozilla.org/en-US/docs/Web/Security
Nife, F., Kotulski, Z. (2020). Application‑Aware Firewall Mechanism for Software Defined Networks, Journal of Network and Systems Management (2020) 28, 605–626
Niranjanamurthy, M., Chahar, D. (2013). The study of E-Commerce Security Issues and Solutions, International Journal of Advanced Research in Computer and Communication Engineering, 2013, 2(7), 1:12.
Nycz, M., Hajder, M., Nienajadlo, S. (2017). Methods for increasing security of web servers, Annales UMCS, Informatica, 2016, 16(2), 39-42.
OWASP. (2021). Cheat Sheet Series. Retrieved on March 10, 2021, from https://cheatsheetseries.owasp.org/index.html
Rahman, R. (2021). Threats of price scraping on e-commerce websites: attack model and its detection using neural network, Journal of Computer Virology and Hacking Techniques, 2021, 17, 75–89.
Rodriguez, G., Torres, J., Flores, P., Benavides, E. (2019). Cross-Site Scripting (XSS) Attacks and Mitigation: A Survey, Computer Networks, 2019, 166, 106960.
Rovetta, S., Suchacka, G., Masulli, F. (2020). Bot recognition in a Web store: An approach based on unsupervised learning, Journal of Network and Computer Applications, 157, 102577.
Semastin, E., Azam, S., Shanmugam, B., Kannoorpatti, K., Jonokman, M., Samy, G., Perumal, S. (2018). Preventive Measures for Cross-Site Request Forgery Attacks on Web-based Applications, International Journal of Engineering & Technology, 2018, 7(4), 130-134.
Shmueli, E., Vaisenberg, R., Elovici, Y., Chanan Glezer, C. (2010). Database Encryption – An Overview of Contemporary Challenges and Design Considerations, ACM SIGMOD Record, 38(3), 29-34.
Shopify. (2021). PCI Compliance. Retrieved on March 4, 2021, from https://www.shopify.ie/security/pci-compliant
Spring. (2020). A Guide to CSRF Protection in Spring Security. Retrieved on March 2, 2021, from https://www.baeldung.com/spring-security-csrf
Statista. (2021). Top retail websites by global traffic 2020. Statista. Retrieved on March 3, 2021, from https://www.statista.com/statistics/274708/online-retail-and-auction-ranked-by-worldwide-audiences/
Towson University (2021), SQL Injections–Introduction. Retrieved on March 5, 2021, from http://cis1.towson.edu/~cssecinj/modules/other-modules/database/sql-injection-introduction/
Wetzels, J. (2016). Open Sesame: The Password Hashing Competition and Argon2, IACR Cryptol. ePrint Arch., 2016, 104.
How to Cite
Copyright (c) 2021 Author
This work is licensed under a Creative Commons Attribution 4.0 International License.
The author is the copyright holder. Distribution license: CC Attribution 4.0.