Due to the openness of the Internet itself, e-commerce systems are facing various security threats. At present, the main security risks in e-commerce are as follows.
1. Identity impersonation problem
Attackers steal the identity information of legal users through illegal means, impersonate the identity of legal users to trade with others, cheat and destroy information, and thus obtain illegal benefits. The main manifestations are: impersonating others; Impersonating others for consumption and planting; Pretending to be a host deceives legitimate hosts and legitimate users.
2. Network information security issues
Mainly manifested in the attacker intercepting, tampering, deleting and inserting information through physical or logical means in the network transmission channel. Interception, the attacker may intercept confidential or useful information such as consumer's account number and password by analyzing various characteristics of network physical line transmission. Tampering, that is, changing the order of information flow and changing the content of information; Delete, that is, delete some information or some information; Insert, that is, insert some information into the information, so that the recipient can not understand or accept the wrong information.
3. Denial of service
Information, services or other resources that an attacker blocks from legitimate access. The main performance is to spread false information and disrupt normal information channels. Including: falsely opening websites and shops, sending emails to users and taking orders; Forge a large number of users, send emails, and exhaust merchant resources, so that legitimate users can't access network resources normally, and services with strict time requirements can't get timely response.
4. Denial by both parties to the transaction
Some users may maliciously deny the information they sent to shirk their responsibilities. For example, the publisher denies sending a message or content afterwards; The recipient later denied receiving the email or content; The buyer does not recognize the purchase order; The goods sold by the merchants are of poor quality, but they don't recognize the original transaction. Who will notarize and arbitrate the disputes between the two parties in the online world?
5. Computer system security issues
Computer system is the basic equipment of e-commerce. If we do not pay attention to security issues, it will also threaten the information security of e-commerce. There are some problems in computer equipment itself, such as physical damage, data loss, information leakage and so on. Computer systems are often attacked by illegal intrusions and destroyed by computer viruses. At the same time, the computer system has personnel management problems. If the responsibilities and authority are unclear, it will also affect the security of computer systems.
Second, e-commerce security mechanism
1. encryption and hiding mechanism
Encryption changes the information, and the attacker cannot read the content of the information, thus protecting the information; Hiding is to hide useful information in other information, so that attackers cannot find it, which not only realizes the confidentiality of information, but also protects the communication itself.
2. Authentication mechanism
The basic mechanism of network security is that network devices should authenticate each other to ensure correct operation authority and data access control. The network must also authenticate the user's identity to ensure that the right user performs the right operation and the right audit.
3. Audit mechanism
Audit is the basis of preventing internal crimes and investigating and collecting evidence after accidents. By recording some important events, we can locate the error and find the reason for the success of the attack when the system finds the error or is attacked. Audit information should have measures to prevent illegal deletion and modification.
4. Integrity protection mechanism
Used to prevent illegal tampering, the integrity protection of cryptography theory can deal with illegal tampering well. Another purpose of integrity is to provide undeniable services. When the integrity of the information source can be verified but not imitated, the receiver can identify the sender of the information, and digital signature can provide this means.
5. Power control and access control mechanism
Necessary security measures for the host system. According to the correct authentication, the system gives the user appropriate operating authority, so that he can not operate beyond his authority. The mechanism generally adopts the method of role management, defines various roles according to the needs of the system, such as managers and accountants, and then gives them different executive rights.
6. Business filling mechanism
Sending useless random data during business idle time increases the difficulty for attackers to obtain information through communication traffic. At the same time, it also increases the difficulty of deciphering password communication. The random data sent should have good simulation performance and can be confused with reality.