Analysis in Risk Assessment

Most important step in measuring level of risk is to determine the adverse impact subsequent from a successful threat exercise of a vulnerability. Before initiating the impact analysis, it is compulsory to obtain the following necessary information.

• System mission (e.g., the procedures performed by the IT system)
• System and data criticality (e.g., the system’s value or significance to an organization)
• System and data sensitivity.

This information can be attained from existing organizational documentation, for example the mission impact analysis report or asset criticality assessment report. A mission impact analysis(also recognized as business impact analysis [BIA] for some software companies in India) prioritizes the impactlevels related with the compromise of an organization’s information assets based on aqualitative or quantitative valuation of the sensitivity and criticality of those assets. An assetcriticality assessment recognizes and prioritizes the sensitive and crucial organization information assets (e.g., hardware, software, systems, services, and related technology assets) that pillar the organization’s critical missions.

Few tangible impacts can be measured quantitatively in lost revenue, the price of repairing thesystem, or the level of effort needed to correct problems caused by a fruitful threat action.Additional impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’sinterest) cannot be calculated in specific units but can be qualified or labelled in terms of high,medium, and low impacts. Because of the generic nature of this discussion, this guide entitlesand describes only the qualitative classifications—high, medium, and low impact

Magnitude of Impact : Impact Definition

High Exercise of the vulnerability

1. may result in the exceedingly costly loss ofmajor tangible assets or resources; 
2. may significantly disturb, harm, orimpede an organization’s mission, reputation, or interest;
3. may resultin human death or severe injury.

Medium Exercise of the vulnerability 

1. may result in the pricy loss of tangibleassets or resources; 
2. may violate, harm, or obstruct an organization’smission, reputation, or interest; or 
3. may result in human harm.

Low Exercise of the vulnerability 

1. may result in the loss of some tangible assets or resources or 
2. may strikingly affect an organization’s mission, reputation, or interest.

Quantitative versus Qualitative Assessment

In steering the impact analysis, consideration should be given to the benefits and shortcomings of quantitative versus qualitative assessments. The foremost advantage of the qualitative impact analysis is that it priorities the risks and classifies areas for instant improvement in addressing the vulnerabilities. The shortcoming of the qualitative analysis is that it does not deliver specific quantifiable measurements of the magnitude of the impacts,consequently making a cost-benefit analysis of any commended controls difficult.The major advantage of a quantitative impact analysis is that it delivers a dimension of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.The shortcoming is that, depending on the numerical ranges used to express the measurement,the connotation of the quantitative impact analysis may be unclear, wanting the result to be interpreted in a qualitative manner. Supplementary factors often must be considered to determine the magnitude of impact. These may include, but are not limited to—

• An approximation of the occurrence of the threat-source’s exercise of the vulnerability over a quantified time period (e.g., 1 year)
• An approximate cost for each incidence of the threat-source’s exercise of the vulnerability
• A numerical factor based on a subjective analysis of the comparative impact of a specificthreat’s exercising a specific vulnerability.

Business impact analysis (BIA) is a methodical process to determine and evaluate the prospective effects of an interruption to critical business operations as a result of a catastrophe, accident or emergency. A BIA is an indispensable component of business continuance plan of almost any software company in India; it comprises an exploratory component to disclose any vulnerabilities and a planning component to cultivate strategies for minimising risk.

Password Hacking Techniques

There are number of methods used by hackers to hack your account or get your personal information like password. Password hacking is very common nowadays. So Web development companies should implement countermeasures of password hacking. The most common password hacking tricks and their countermeasures are as follow:

Brute force attack: 

• Brute-force attack is used to crack any password. 
• Brute-force attacks try every possible combination of digits, alphabets and special characters until the correct password is match.
• Brute-force attacks can take very long time depending upon the complexity of the password. 
• Countermeasures:
•  Use long and complex passwords.
•  Try to use combination of upper and lowercase letters along with numbers.

Social Engineering:

• It is process of manipulating someone to trust you and get information from him/her. 
• Let’s take an example. If the hacker was trying to get the password of his co-workers’ computer, he might call them pretending to be from the IT department and simply ask for their login details. 
• It can be used to hack password, bank credentials or any personal information.
• Countermeasures:
• Never ever give your credit card details on phone.
• If someone tries to get your personal or bank details ask them few questions.

Rats and Key loggers:

• Key logger is sent to the victim’s computer to crack a password.
• Now hacker keeps monitoring everything victim does on his computer including password by key loggers.
• So it is major concern for software development companies.
• Countermeasures:
• Never login to your personal user account from someone else or cyber cafe computer.
• Use latest anti-virus software and keep them updated.

Phishing:

• This attack is used by hackers to get someone account details like username and password.
• In this attack, hacker sends fake page of real website like Facebook, Gmail to victim. When someone login through that fake page, his details is sent to the hacker. 
• Countermeasures:
• Always make sure that websites URL is correct.
• For example, you should check whether it is gmail.com or phishing page gmmail.com.

Rainbow Table:

• Rainbow table is a big pre-computed list of hashes for every possible combination of characters.
• A password hash is a list of passwords that have gone through a mathematical algorithm and are transformed into something which is not recognizable. 
• A hash is a nothing but an encryption so when a password is hashed it cannot get back to the original string from the hashed string.
• Countermeasures:
• Make sure the password chosen is long and complex. 
• Creating tables for long and complex password takes a very long time and a lot of resources.

Guessing:

• This can easily help attacker to get someone’s password within seconds.
• If hacker knows you, he can use your personal information he knows about you to guess your password. 
• Countermeasures:
• Don't use your first name, nickname, mobile number or birthdate as your password. 
• Create complex and long password with combination of letters and numbers.

Dictionary Attack:

• A file of words is run against user accounts, and if the password is a simple word, it can be found pretty quickly.
• Countermeasures:
• Use long and complex passwords. 
• Try to use combination of upper and lowercase letters along with numbers.

Conclusion:

This article is for everyone including web development companies in India to protect their personal information like username, password. Countermeasures suggested above should be implemented.

Frauds in Online Payment Systems

Nowadays, everything is online. Online shopping, online money transfers and online banking help in saving a lot of time and making our lives easier. These facilities are provided by software development companies in  India by developing online payment system software. However, these same technologies also make life easier for cyber criminals by offering them short and quick ways to steal users’ money. 

Using stolen payment data is an effective and popular way of making a quick profit. Hacking a bank is more time-consuming and expensive and the risk of being caught is higher. By contrast, many individuals use computers with different vulnerabilities, which can be compromised easily. By stealing a comparatively lesser amount from each hacked online banking account, a cyber criminal has a good chance of going undetected. 

Frauds are classified as follows:

• Online frauds
• Offline frauds

Online frauds occur when fraudster owns legitimate company to get sensitive personal information and illegally conduct transactions in the existing accounts. Phishing and spoofing are types of online frauds. Online frauds occur when fraudster steals sensitive information of customers such as bank account number, credit card number or other identification and uses it to open new account or performs transaction in the customer/company's name. There are many types of e-frauds in online payment systems and they can occur in following ways:

Account Hacking:

1. Hacking includes gaining illegal entry into a person computer system during online payment. Fraudster use compromised customer credentials to hack the origination system and misuse it in the legal account holder's name.

Identity Theft:

1. Identity theft refers to crime in which fraudster illegally gets and uses another individual's personal information in such a way that involves fraud to gain something of value during online transaction.

Phishing:

1. Phishing is a well-known technique for obtaining confidential sensitive personal information from any customer by posing as a trusted authoring. It is an attack by fraudster to "fish‟ for your baking details through emails having attachment files or hyperlinks to different websites. This e-mail creates a fake image to be sent from legitimate organization to cheat people in order to disclose sensitive information.
2. On clicking any attachment or the hyperlink residing in e-mail ,the computer system get infected with malware. Now when next online transaction takes place, the malware will activate and steal private and personal financial information which includes credit card numbers, PIN number which is used by fraudster to steal money from the account.

Spoofing:

1. This attack is about creating a fake or duplicate website for criminal use. The fraudsters  are having fake companies name, logos, graphics and even code. This often takes form of  trade sites where in people would innocently providing personal information to criminals or purchase of a fake product that actually does not exist.

Check frauds:

1. Check frauds are a major threat to financial security. Electronic check frauds can be easily taken place; the fraudster uses printer, desktop phishing software and scanner. The most common forms of check fraud include altering check, forging endorsement, counterfeiting checks and creating remote checks.

Nigerian advance free fraud:

1. This e-fraud is the most popular and lucrative fraud. Fraudsters often arrive with bulk mailing or family member email of asking the recipients to enter into business and getting money transferred with huge commission in return. 
2. Once the contact is established the fraudsters request money in advance which need opening of an account in the bank or paying some fee which leads to troubles and expenses.

Lottery frauds:

1. One will receive scam emails informing of winning a substantial amount of money in a lottery draw. When the receiver reply's, the sender then asks for bank account details and other personal information so they can transfer the money. These emails are fake and may ask to pay a handling fee that will lead to loss of money and your personal information which may be used in other fraud.

Conclusion:

E-frauds are taking place in online payment systems. So it is becoming a danger for software development companies in India as online payment systems are developed by these companies. There should be encryption algorithms implemented to reduce these e-frauds.

Security Issues in E-commerce

E-commerce is nothing but buying and selling products or services over electronic systems such as Internet. Nowadays, wide variety of commerce is conducted via e-Commerce. E-commerce systems are based upon internet use developed by ecommerce solution providers in India and across globe, which provides open and easy communications on a global basis. Consumers browse through catalogues, searching for best offers, order goods and pay them electronically.

Doing some electronic business on the Internet is already an easy task. As is cheating and snooping. The use of the internet means that your internal IT and e-commerce systems are potentially accessible by anyone, irrespective of their location. So threats to e-Commerce systems are increasing day by day.

Some of the more common threats  to e-commerce systems include:

• Carrying out denial-of-service (DoS) attacks that stop access to authorised users of a website, so that the site reduces level of its service.
• Gaining access to sensitive data such as price listing, service catalogues and valuable intellectual property and altering, destroying or copying it
• Altering your website and so harming your reputation or directing your customers to another site
• Gaining access to financial information about your business or your customers, with a view to committing a fraud
• Using viruses to corrupt your business data

Security of E-commerce is protecting e-commerce assets from unauthorized access, use, alteration, or destruction. Some major security features are as follows:

• Authentication:
  Verifies who you say you are.
  It enforces that you are the only one who can login to your Internet banking account.
• Authorization:
  Allows only you to manipulate your resources.
  This can help you prevent increasing the balance of your account or deleting a bill.
• Encryption:
  Deals with information hiding.
  It ensures cardholder data is hidden during Internet banking transactions.
• Auditing:
  Keeps a record of operations. 
  Sellers use auditing to confirm that you bought specific merchandise.
• Integrity:
  Prevention against unauthorized data alteration.
• Non-repudiation:
  Prevention against any one party from disagreeing on an agreement after the fact.
• Availability:
  Prevention against data delays or removal.

There are majorly three types of security threats for e-Commerce:

1. Denial of service
2. Unauthorized access
3. Theft and fraud

Denial of service attack:

Two primary types of DOS attacks: spamming and viruses

Spamming:

• Sending unsolicited emails to everyone.
• A hacker responsible for E-mail bombing targeting one computer or network, and sending many number of email messages to it.
• Surfing involves hackers placing software agents onto a third-party system and setting it off to send requests to a specific target.
• DDOS (distributed denial of service attacks) involves hackers placing software agents onto a number of third-party systems and setting them off to simultaneously send requests to an intended target.

Viruses:

• Compromised computer programs designed to perform unwanted events.

Unauthorized access:

• Illegal access to systems, applications or data
• Listening to communications channel for finding secrets.

Theft and fraud:

• Cardholder data theft during online shopping using e-Commerce.
• Fraud occurs when the stolen data is modified or misused.
• Steal software via illegal copying from company‘s servers.
• Steal hardware, specifically laptops.

Conclusion:

There are so many security issues going on in e-Commerce. This is very major concern for ecommerce solution providers in India and across globe. So there should be some security mechanisms to overcome these security issues.

References

Books

[1] E-Commerce Payment Solutions Implementation and Integration Using IBM Websphere Payment Manager, IBM Redbooks, Vervante

[2] http://www.mastercard.com/us/company/en/newsroom/McWilton_Future_of_Electronic_Payments_whitepaper.pdf

[3] http://thismatter.com/money/banking/payment-systems.htm

[4] http://www.wired.com/2010/02/ff_futureofmoney

[5] https://en.wikipedia.org/wiki/Apple_Pay

[6] http://zeendo.com/info/googles-mobile-payment-system-past-present-and-future

[7] http://sixrevisions.com/tools/online-payment-systemsBooks

URL

[1] E-Commerce Payment Solutions Implementation and Integration Using IBM Websphere Payment Manager, IBM Redbooks, Vervante

[2]http://www.mastercard.com/us/company/en/newsroom/McWilton_Future_of_Electronic_Payments_whitepaper.pdf

[3] http://thismatter.com/money/banking/payment-systems.htm

[4] http://www.wired.com/2010/02/ff_futureofmoney

[5]https://en.wikipedia.org/wiki/Apple_Pay

[6] http://zeendo.com/info/googles-mobile-payment-system-past-present-and-future

[7] http://sixrevisions.com/tools/online-payment-systems

[8]http://www.ifourtechnolab.com/

Emerging payment challenges

As the Business-to-Consumer (B2C) commerce model progresses, further complex requirements will be made on the payments software of the future. The following sections,suggested by software development companies, outline real-life payments scenarios that will require electronic payments solutions in any payment system of the future.

Manufacturers’ coupons

When customers purchase products from Internet or ecommerce development company , at that time they can use manufacture coupons to discount the amount. The coupons often have expiration date.

For supporting these feature the payment system require to be have knowledge of the item details of shopping cart so that the coupon can be authorized and redeemed for payment.

Deferred credit 

Retails sector provide buy-now, pay –later offers same way online store also provide same concept over Internet.  Customer provide details of credit card and direct payment would need to be collected by commerce store and a method of indicating to the payment system that the purchase is a deferred credit purchase  Decisions on where the order would lie dormant would need to made. The e-commerce system not holds the information. Therefore the merchant would require some form of authorization check on the consumer’s payment details before the goods were released to the customer.

Multiple payments installments 

Many time customers want purchase product on EMI base. In online store they provide such facility only on debit card. The challenge is how to provide multiple payments installments and how the payment does keeps system track of the regular payments and notify the merchant/consumer of any failures.

Future payments

Following are few other payment options suggested by eCommerce solution provider companies.

E-Money

In credit/ debit card payment transaction, issuing bank charges the merchants a significant fee for each transaction, therefore cards are not good way to sell items for little money. Because of this transaction charge numerous businesses comes in market with special services e-money.

PayPal is successful business that allows people to send money to other people or to merchants without a merchant account with a bank.

Bitcoins and Crypto currencies

Another type of installment getting media consideration as of late is through the utilization of bitcoins or different crypto currencies. A percentage of the primary points of interest progressed for bitcoin are that:

The supply is entirely constrained and not controlled by the government.

Bitcoins are often divided into smaller payments, permitting micro-payments, and

The expense of exchanges are greatly low.

Wireless payments

Payments which are done through wireless device are known as wireless payments.  For example when you want to take dinner in restaurant but you have no money with you at that time. You do, however mobile phones have with you so you can transfer money from mobile using NFC or via your own bank account.

Today two Apple provides this concept through apple pay and Google via Google wallet.

Apple Pay

Apple Pay could be a mobile payment service that lets sure Apple mobile devices build payments at retail and on-line checkout. It digitizes and replaces the credit or debit magnetic tape card group action at MasterCard terminals. The service lets Apple devices wirelessly communicate with purpose of sale systems employing a close to field communication (NFC) antenna, a "dedicated chip that stores encrypted payment information" (known because the Secure Element), and Apple's Passbook and Touch ID.

The administration keeps customer installment information non-open from the distributer, and makes a "dynamic security code [...] produced for each exchange". Apple would not track use, which may keep between the customers, the sellers, furthermore the banks.

Google mobile payment system

This Google Mobile installment framework is in light of the NFC (Near Field Communication), the innovation that permits exchanging data remotely starting with one gadget then onto the next. Furthermore, yes, it bodes well for an organization like Google to make its invasion into this field. The acquiring routine of individuals is completely cherished data for the promoting organizations. These organizations can use the data gathered by Google to market their items and administrations.

Google wallet mobile payments

Google Wallet is a cell phone application that transforms your telephone into a virtual MasterCard/card-less paying gadget Google Wallet will have this image at the clerk:

To pay, you just tap the Google Wallet application on your telephone, punch in a 4-digit PIN code to open it, and touch the telephone to the terminal. This will send a safe installment by means of Near Field Communication (NFC). A Google Prepaid Card is really a virtual card in which you include fiscal trusts from any of your current charge cards.