Following the template described in defining the risk context, this post will now break down the elements that build the bigger picture.


User activity and actions

NOTE - there are other actions done prior to this, like using a computer and a browser. they are not in scope for this use case and the present use case will focus only Web Shopping specific actions

1. Choose a web shop

This is done on a case by case basis. The user will either buy from an already known web shop directly or will search for it via search engine (Google, Bing). The risk context changes when the user is shopping from a well known web shop (such as eBay or Amazon)

2. Place order

Typical web shops have a virtual "basket" where the user adds the items. At the end of the shopping session the user will choose to "checkout" the basket, proceeding to payment

3. Payment

The user would usually be asked of a method of payment, if there are more than one available. Each has its own security, customer or web shop owner usability benefits and downsides. The most typical ones are listed below :

  • cash on delivery - directly paying in cash whenever your order is delivered. I normally prefer this one, as I do not have to enter any financial information online.
  • bank transfer - the user manually transfers the necessary money amount from the bank account to the one belonging to the web shop
  • credit/debit card - the users enters his credit/debit card details and the web shop charges the credit/debit card. This is the most preferred method of paying online but this is more safe for the user when performed via a 3rd party payment processor like mentioned below
  • 3rd party payment processor - the responsibility does not belong to the web shop, but to a 3rd party entity that does the processing. This is convenient for the user, because these payment processors are (or should be) well prepared to handle credit card information, based on industry requirements. Examples include PayPal or AliPay.

Assets identified

Typically the assets will resume to what is strictly required to perform an online purchase and delivery :

  • personal information - name, physical address (used for delivery)
  • contact information - telephone, e-mail address (used for confirmation of order)
  • financial information - credit card details, online payment system authentication credentials, like a PayPal username and password (used for payment)
  • money - in the form of cash or credit (used for payment)
  • web shop credentials - username and password for the website (used for authentication to the web shop and storing)

Companies will not always restrict to the above and might require more information from the user, like the following :

  • sensitive information - national ID or any other form of identification (like drivers license number or scanned copy, social security number for the US etc)

  • extra information on either one of the above - birth date, gender, marital status (generally used for internal customer management as well as marketing purposes)

Adversaries

Note - the below enumerated adversaries are considered the most relevant for this use case. There can be other adversaries as well, but they might be restricted only to specific scenarios.

  • script kiddiez - since web shops are so easy to create, they are often very open to attack due to bad programming. This makes them a regular target for simple scammers and other low prepared adversaries

  • organized crime groups - there is enough money in web shopping to attract more sophisticated adversaries

  • marketing businesses - as mentioned in the adversary perspective, marketing and sales are dramatically boosted when using (potential) consumer data, making any kind of personal information valuable

Threats

Note - there are considerably many more other threats associated with web shopping. This article limits itself only to those looked upon from the information security and privacy perspective and does not dwell deeply into the detailed technical aspects or shopping experience aspects.

1. Buying from a fake web shop

Literally ANYBODY can create a web shop for free. A free web shop can also look very professional, either for free or with not that much money spent. There are, of course, good parts about this, like boosting entrepreneurship and small businesses. On the other hand, this makes a normal user very open to various threats, because an adversary can easily take advantage of the ease of use when creating a web shop to fulfill his/her goals.

A fake web shop can either

  • replicate a real one - examples include phishing websites, designed to lure users to an exact copy of a legitimate website

  • be standalone - does not link or replicate another one, but is created with the goal for committing fraud

2. Unclear, fake or shady payment process

Users can end up in many situations because of an unclear payment process.

Paying a different amount than expected

This can happen due to either (apparently) legitimate reasons like VAT calculation, currency conversion, hidden fees that are written in the very small text or either illegitimate reasons like part of the money reaching a different account

Paying to a different entity than expected

Depending on the method of payment chosen by the user OR the (only) one offered by the web shop, this threat can be valid or not.

The payment does not reach the intended recipient (the web shop owner) but reaches the adversary. This can happen due to bug or compromise in the web shop or one of its components.

3. Improper information handling

In most cases, this can lead to one of the following :

  • information theft - The web shop can be breached by an adversary or has a bug that determines your information to be stolen or accessible by entities that should not be able to. In general, users do not see information as name and address as a problem when stolen. Users will react more to when something with more tangible impact, like credit card information

  • information shared with other entities - Businesses can use your information for their own interest and financial benefit without you being aware of it. Again, this is something that as a user, we might not care too much initially, but try asking yourself the question - do I really want this info to be shared or used ?

The responsibility associated with handling your information falls upon the information processor, in this case the web shop (unless stated otherwise).

Legitimate and trustworthy web shops will most likely have a page stating their "privacy policy" or "terms of use". These pages should clearly state what kind of information they are processing, for what purposes, how are they handling it and what efforts do they employ to protect it.

The absence of these pages or something similar, can be a clear indicator that the web shop is not trustworthy.


Since the risk context is now built, it is now time to move on to how we address the threats related to web shopping, with an appropriate example of a suspicious web shop.