E-Commerce Security for Users

M. Faisal NaqviResearch Consultant (Technical),

ECAC

Who is the User?Stakeholders/Major Players:• Customer• Merchant• Bank• Certification Authority (CA)• Government

Preventive Measures against Password Theft• Password/Pin should include:

– Capital letters– Small letters– Numbers– And special characters

• Password/Pin shouldn’t include:– User Name– Country / City Name etc.– Date/year of birth– Digits of Phone No.– Dictionary Words

• To avoid:– Brute Force Attack– Dictionary Attack

• Shouldn’t be written• Should be different for different accounts

Preventive Measures against Password Theft

Password Protection from:• Shoulder Surfing• Video Recording• Spy ware/Key Loggers• Viruses/Trojan Horses

Two-factor authentication:• Smart Card• Biometric Devices

Preventive Measures against Phishing Attack

• Always Look for your e-mail address in “to:” / “CC:” field

• If info@pepsi.com is written in From field even than its not confirmed that the mail is from Pepsi

• www.SendFakeMail.com• Never disclose your Account/Credit Card Information

through e-mail / Phone• Don’t open/download any file from unknown sender

Tracing the source of an Email

Tracing the source of an Email

E-Mail Security• Confidentiality, Integrity, Authenticity and non-

repudiation• Obtain Digital Certificate from CA (e.g. NIFT)• Install / import your own certificate in E-mail software

(e.g. Outlook).• Associate certificates of other persons with their e-

mail addresses in address book• If you receive digitally signed mail from any contact

the certificate will automatically be associated with that address (in advanced versions of software)

Preventive Measures against Credit Card Info. Theft

• Be careful “amazon.com” and “amaz0n.com” are not same

• “amazon.com/securepayment/ws” and “amazon.com.securepayment.ws” are not same

• In both of above cases 2nd one is fraudulent• Provide Account/Credit Card Info only to secure web

sites• Always pay attention to warnings/information given by

the Browser• Always look for Yellow Lock• Never disclose secret information without Yellow Lock

Private Key Protection• Private key’s Password Protection• Two factor Authentication e.g.:

– Private Key on Smart Card– Private Key on USB Device / Token– Never save the password– Because Private Key is your DIGITAL SIGNATURE– DIGITAL SIGNATURE = Hand written signature + Thumb

Impression + Witnesses

General Recommendations

• Don’t visit websites of illegal software / cracks etc.• Don’t use Cracked / Illegally patched software• Enable Firewall during internet• Don’t accept social engineering

?

ThankYou