外文翻譯—o2o服務(wù)的安全風(fēng)險及其對策研究

1、<p>　　字?jǐn)?shù)：英文1729單詞，9402字符；中文3167漢字</p><p>　　出處：Kim J H, Cho W S, Lee J M, et al. Study on Security Risk and Its Countermeasures of O2O Service[C]//Platform Technology and Service (PlatCon), 2017 Internat

2、ional Conference on. IEEE, 2017: 1-4</p><p><b>　　外文文獻(xiàn)：　</b></p><p>　　Study on Security Risk and Its Countermeasures of O2O Service</p><p>　　Abstract Advance in ICT and

3、convergence technology, latest trend of e-commercial is O2O. Scale of O2O market is growing and famous platform firms start to invest this industry. However, O2O service’s security requirements for safe O2O service has n

4、ot been researched yet. In O2O Service, Data flows from Online to Offline or from Offline to Online, So, Traditional Online Security countermeasures is not appropriate. For best understand of O2O security threat, prerequ

5、isite requirement is figure out</p><p>　　Keywords: O2O service, Online and Offline, E-commerce, Security risk management</p><p>　　1.Introduction</p><p>　　Due to advance in ICT and c

6、onvergence technology, O2O (Online to Offline) service is under the spotlight. O2O is a business platform which uses online channel attracting customers to offline stores in commercial industry. The operation flow of O2O

7、 is shown in Fig. 1.</p><p>　　Fig.1 Operation flow of O2O</p><p>　　O2O business prevents consumers from choosing goods at bad quality by solving asymmetric information problem. It provides detai

8、led information and consumer feedback about services on online and because of it, user could find good service with low cost. If service is unsatisfactory, they can participate by writing a review.</p><p>　　

9、On the other hand, shop could advertise, provide vast selection and attract both on online and offline presence on Online by O2O platform.</p><p>　　While O2O provides these benefits and lots of enterprise be

10、gin to change their business model to O2O, it still suffer from the inherent weakness – the trust of platform. In this paper, we classify O2O’s security threats and propose its countermeasures for safe O2O mode.</p>

11、;<p>　　2.Analysis of O2O service Security</p><p>　　Fig. 2 explains operation process of O2O and its’ security issues. O2O have to check online and offline channel’s security threat as the name itself.

12、 We could classify O2O service process as Server level, Network level and User level. In Server level, Server preserve stores’ information and users’ feedback. In Network level, platform gives data to users. Finally, in

13、User level, actual service happens in offline.</p><p>　　Fig.2 Division of Security Issues on O2O</p><p>　　Traditional IT service is enough to consider only online security threats. However O2O s

14、ervice includes offline channel, offline security threat such as phishing or pharming attack can be happened. And also, newly offline attack caused by confusion in online, offline channel. I classify each channels as Ser

15、ver, Network Level Security threat as Online Threat and Offline Threat includes User level and Network level.</p><p>　　2.1.Online security threat</p><p>　　Table.1 is classification of online att

16、ack scenarios. Known Online threat is not much different with common web, apps’ security threat. It is composed of server and network vulnerability such as SQL injection, XSS, network sniffing. But main difference is eff

17、ect. Generally hacker's target is root privilege or customer's account to affect service's availability and demands payment. But in O2O, customer's account includes information about address, order log et

18、c. so attacker can harm or scare them</p><p>　　Table.1 Classification Known Online Security Threat</p><p>　　When consumer harbor malicious thoughts and manipulates service price like Fig.3, If p

19、latform does not detect changes of packet, platform progress order and provides services normally. This threat break trust between consumer and store, causes financial damage to store.</p><p>　　Fig.3 Changin

20、g Price Data</p><p>　　Thus, Online security threat’s influence is doubled because its scale is span to offline.</p><p>　　2.2.Offline security threat</p><p>　　In user level, Selected

21、 product or services’ provision or transaction is happen. There is already many researches that O2O service has to consider regional law or regulation. In addition, O2O service such as Airbnb, Uber has many problems such

22、 as using service as dealing drugs, sex else. By these things, Offline regulation in O2O is one of the hot research. Similarly, Offline channel’s security is also very important issues to O2O.</p><p>　　If th

23、ere exists any unallowable connection in data flow process between online and offline, Service losses its credit. And creditable service is the main issues of O2O business. If unauthorized person could access service res

24、ponse process, then no matter how stores’ reaction are, we could accept/deny service and even we could know customer’s private information.</p><p>　　Figure 4 explain O2O MITM attack. Platform leave a bridge

25、between consumer and store in original connection. But in O2O, It does not have any manual to distinguish hackers from consumer or platform, necessarily hacker can disguise easily. So O2O is weak from social engineering

26、hacking such as phishing. If hacker sends a message or make a call to store that seems like deal is done, you can provide services in free. Or if hacker make a call that if he is one of the proper user, and then he could

27、 c</p><p>　　Fig.4 O2O MITM Attack</p><p>　　In O2O, unauthorized access is done easily due to its’ structural problems, so we have to make an effort to certify.</p><p>　　2.3.Privacy

28、issue</p><p>　　Last part of security threat is Privacy issues. For trusted trade, Shop make public its’ private information in online. And also platform needs massive UX about store. For example, If we want

29、fully trusted O2O Service, We can check hosts’ name, id, linked SNS information, consumers’ review and else. Ironically, The more trusted trade platform provide, the more information has to uploaded to platform and malic

30、e user can collect private data more. Fig. 5 shows lodge service display host’s personal</p><p>　　Fig.5 Host’s Personal Information in O2O Service</p><p>　　This can apply to stores’ view too. If

31、 order is accepted, host receives customers’ information. It involves contact number, destination address, order records, evaluations. So if malice attacker tries to collect data from O2O platform, he could access to eve

32、n very private information. Fig. 6 shows delivery store’s customer’s personal information.</p><p>　　Fig.6 Customer’s Private Information in O2O Service</p><p>　　3.Countermeasures of O2O Security

33、 Threat</p><p>　　We should tries to make security accident scenario and response to reduce business risk as security countermeasure. Furthermore, Many startups get into O2O service, but O2Os’ policy or techn

34、ics for security countermeasure is not enough so we have to research countermeasures about O2O’s security threat. From the classification in chapter 2, Table. 3 shows each countermeasures about security threat.</p>

35、<p>　　Table 3. Countermeasures of O2O Security Threat</p><p>　　3.1.Online Security Threat</p><p>　　Traditional IT service continuously improve and respond with online security threats. So

36、 O2O online security threat can deal with traditional IT security threat. Firm has to secure coding for making a new platform, test with web security checklist and do risk management for improving secure level of existin

37、g platform. Firm has to monitoring and improving encryption algorithm to prevent network attacks.</p><p>　　3.2.Offline Security Threat</p><p>　　Platform needs to corresponds traditional commerci

38、al security scenario such as fishing or pharming attack. O2O MITM attack we introduced previously can be prevented by checks source of messages it is really come from platform or users. After analyzing attack scenario ab

39、out traditional commercial, platform prepare guidelines, continuous training and monitoring to reduce external threat probability. Table 4 shows which data O2O service collected in recognition process. Generally shop use

40、s order in</p><p>　　Table.4 Collected Data of O2O service in recognition process</p><p>　　3.3.Privacy Issues</p><p>　　General solution about privacy issues is terminate unnecessary

41、data by collecting only essential data or make public of regular data type. But development of ICT technology, new certification is uprising. The main process to O2O is consumer gains information on online and brings the

42、m into real-world stores. Fig. 7 explains popular O2O marketing strategy – QR code, NFC.</p><p>　　Fig.7 O2O marketing strategy – QR code, NFC Using</p><p>　　QR code gives advantage in simplicity

43、 and reducing privacy issues a lot. User do not have to open their private information in online. Famous O2O firms KaKao uses its QR Code for communication. If consumer wants to inquire about service with hosts, he just

44、scan hosts’ QR code and communication with him. By this communication, consumer can withhold their information such as phone number, address etc. And also be related to issues on 3.2 offline security threat, QR code coul

45、d turn certification id</p><p>　　4.Conclusions</p><p>　　From the traditional commercial service, O2O includes online channel and become platform which connects customer and hosts in online. So,

46、O2O business cover both of online and offline security threat. Currently, O2O is treated as a best practice business model of e-commercial service. Though transaction size of O2O business has increased annually, a resear

47、ch about O2O business risk and security threat is insufficient. In this Paper, we have shown that O2O include both of online and offline secur</p><p><b>　　中文譯文：</b></p><p>　　O2O服務(wù)的安全

48、風(fēng)險及其對策研究</p><p>　　摘要 隨著信息與通信技術(shù)以及融合技術(shù)的發(fā)展，電子商務(wù)的最新趨勢是O2O。O2O市場規(guī)模不斷擴(kuò)大，知名平臺公司開始投資這一行業(yè)。然而，O2O服務(wù)對安全O2O服務(wù)的安全性要求尚未研究。在O2O服務(wù)中，數(shù)據(jù)流動從線上到線下或從線下到線上，所以傳統(tǒng)的在線安全對策是不合適的。為了更好地了解O2O安全威脅，先決條件是了解傳統(tǒng)IT和商業(yè)安全。本文對 O2O的新安全風(fēng)險及其對策進(jìn)行了研究。

49、</p><p>　　關(guān)鍵詞：O2O服務(wù)，線上和線下，電子商務(wù)，安全風(fēng)險管理</p><p><b>　　1.簡介</b></p><p>　　由于信息與通信技術(shù)以及融合技術(shù)的進(jìn)步，O2O（線上到線下）服務(wù)受到了關(guān)注。O2O是一個商業(yè)平臺，它利用線上渠道吸引客戶到商業(yè)行業(yè)的線下商店。O2O的操作流程如圖1所示。</p><p

50、>　　圖1 O2O運(yùn)營流程</p><p>　　O2O業(yè)務(wù)通過解決不對稱信息問題，防止消費(fèi)者選擇質(zhì)量差的商品。它提供有關(guān)線上服務(wù)的詳細(xì)信息和消費(fèi)者反饋，因此，用戶可以在低成本的情況下找到良好的服務(wù)。如果服務(wù)不能令人滿意，他們可以參與撰寫評論。</p><p>　　另一方面，店鋪可以做廣告，提供廣泛的選擇，并且通過線上O2O平臺在線上和線下都對客戶產(chǎn)生吸引。</p>&l

51、t;p>　　雖然O2O提供了這些好處，許多企業(yè)開始將其業(yè)務(wù)模式改變?yōu)镺2O，但它仍然存在固有的弱點——平臺的可信性。在本文中，我們對O2O的安全威脅進(jìn)行了分類，并提出了安全O2O模式的對策。</p><p>　　2.O2O服務(wù)安全分析</p><p>　　圖2說明O2O的運(yùn)行過程及其安全問題。正如它的名稱一樣，O2O必須檢查線上和線下渠道的安全威脅。我們可以將O2O服務(wù)流程分類為服務(wù)

52、器層面、網(wǎng)絡(luò)層面和用戶層面。在服務(wù)器層面，服務(wù)器保存存儲信息和用戶的反饋。在網(wǎng)絡(luò)層面，平臺向用戶發(fā)送數(shù)據(jù)。最后，在用戶層面，實際的服務(wù)發(fā)生在線下狀態(tài)。</p><p>　　圖2 O2O安全問題的分類</p><p>　　傳統(tǒng)的IT服務(wù)只能考慮在線安全威脅。但O2O服務(wù)包括線下通道，如網(wǎng)絡(luò)釣魚或網(wǎng)絡(luò)攻擊等線下安全威脅可能會發(fā)生。而且，線上、線下渠道的混亂也造成了新的線下攻擊。我將每個渠道分為

53、，服務(wù)器、網(wǎng)絡(luò)層面安全威脅的線上威脅，包括用戶層面和網(wǎng)絡(luò)層面的線下威脅。</p><p>　　2.1.線上安全威脅</p><p>　　表1是線上攻擊的情景分類。已知的線上威脅與常見的網(wǎng)絡(luò)、應(yīng)用程序的安全威脅沒有太大的不同。它由服務(wù)器和網(wǎng)絡(luò)漏洞組成，如SQL注入、XSS、網(wǎng)絡(luò)嗅探。但主要的區(qū)別是結(jié)果。一般來說，黑客的目標(biāo)是root權(quán)限或客戶帳戶，以影響服務(wù)的可用性和要求付款。但是在O2O中

54、，客戶帳戶包含有關(guān)地址、訂單日志等信息，所以攻擊者可以在線下傷害或嚇唬他們。而如果服務(wù)器遭到攻擊并且服務(wù)不可用，那么不僅平臺，而且客戶和商店也可能受到攻擊。商店的銷售是在平臺上進(jìn)行的，黑客可以停止他們的工作或改變他們的價格。</p><p>　　表1 已知的線上安全威脅分類</p><p>　　當(dāng)消費(fèi)者心懷惡意并操縱服務(wù)價格，如圖3所示，如果平臺沒有檢測到數(shù)據(jù)包的變化，平臺繼續(xù)下單并正常提

55、供服務(wù)。這種威脅打破了消費(fèi)者和商店之間的信任，造成財務(wù)損失。</p><p>　　圖3 價格數(shù)據(jù)的變化</p><p>　　因此，線上安全威脅的影響是加倍的，因為它的規(guī)模能夠跨越到線下。</p><p>　　2.2.線下安全威脅</p><p>　　在用戶層面，會發(fā)生所選產(chǎn)品或服務(wù)的條款或交易。目前已有許多研究認(rèn)為, O2O 服務(wù)必須考慮區(qū)域

56、法律或法規(guī)。另外，O2O服務(wù)如Airbnb、Uber有很多問題，如將毒品、性等作為服務(wù)內(nèi)容。通過這些事情，O2O中的線下監(jiān)管是研究的熱點之一。同樣，線下渠道的安全性也是O2O的重要問題。</p><p>　　如果線上和線下之間的數(shù)據(jù)流過程中存在任何非法連接，則服務(wù)會損失其信用。誠信服務(wù)是O2O企業(yè)的主要問題。如果未經(jīng)授權(quán)的人可以訪問服務(wù)響應(yīng)過程，那么無論商店的反應(yīng)如何，我們都可以接受/拒絕服務(wù)，甚至可以了解客戶的

57、私人信息。</p><p>　　圖4說明O2O的 MITM攻擊。平臺在原始連接之間建起了消費(fèi)者和商店之間的橋梁。但在O2O中，沒有任何方法指南來區(qū)分黑客與消費(fèi)者或平臺，黑客可能很容易偽裝。所以O(shè)2O在網(wǎng)絡(luò)釣魚等社會工程黑客方面很弱。如果黑客發(fā)送消息或打電話給商店，似乎交易完成，商店可能會免費(fèi)提供服務(wù)?；蛘呷绻诳痛螂娫捊o用戶，如果他是合適的用戶之一，然后他可以更改或取消原始訂單。</p><p

58、>　　圖4 O2O的MITM攻擊</p><p>　　在O2O中，由于其結(jié)構(gòu)性問題，未經(jīng)授權(quán)的訪問是很容易的，所以我們必須盡量進(jìn)行認(rèn)證。</p><p><b>　　2.3.隱私問題</b></p><p>　　安全威脅的最后一部分是隱私問題。對于值得信賴的交易，商店將其私人信息公開在網(wǎng)上。而平臺也需要大量的關(guān)于商店的用戶體驗。例如，如果

59、我們想要完全受信任的O2O服務(wù)，我們可以檢查主機(jī)的名稱、ID、鏈接的SNS信息、消費(fèi)者的評論等。具有諷刺意味的是，可信貿(mào)易平臺越多，上傳到平臺的信息就越多，惡意用戶可以更多地收集私人數(shù)據(jù)。圖5顯示住宿服務(wù)暴露了主機(jī)的個人信息。</p><p>　　圖5 在O2O服務(wù)中的主機(jī)的個人信息</p><p>　　這也適用于商店的頁面。如果接受訂單，主機(jī)將收到客戶信息。它涉及聯(lián)系號碼、目的地址、訂單

60、記錄、評估。所以如果惡意攻擊者試圖從O2O平臺收集數(shù)據(jù)，他甚至可以訪問非常私密的信息。圖6顯示了送貨店客戶的個人信息。</p><p>　　圖6 在O2O服務(wù)中的客戶的私人信息圖</p><p>　　3.O2O安全威脅的對策</p><p>　　為降低經(jīng)營風(fēng)險，我們應(yīng)該嘗試制定安全事故方案和應(yīng)對措施來作為安全對策。此外，許多初創(chuàng)公司進(jìn)入O2O服務(wù)，但O2O的安全對策

61、的手段或技術(shù)還不夠，因此我們必須研究O2O安全威脅的對策。根據(jù)第2章表中的分類，表3顯示了有關(guān)安全威脅的每個對策。</p><p>　　表3 O2O安全威脅的對策</p><p>　　3.1.線上安全威脅</p><p>　　傳統(tǒng)的IT服務(wù)不斷改進(jìn)和應(yīng)對線上安全威脅。所以O(shè)2O線上安全威脅可以處理傳統(tǒng)的IT安全威脅。公司必須確保編寫新平臺的編碼，使用Web安全檢查表

62、進(jìn)行測試，并進(jìn)行風(fēng)險管理以提高現(xiàn)有平臺的安全級別。公司必須監(jiān)控和改進(jìn)加密算法，防止網(wǎng)絡(luò)攻擊。</p><p>　　3.2.線下安全威脅</p><p>　　平臺需要制定傳統(tǒng)的商業(yè)安全方案，例如釣魚或欺騙攻擊。通過檢查消息來源是來自平臺或用戶，可以阻止我們前面介紹的O2O的MITM攻擊。分析了傳統(tǒng)商業(yè)攻擊情況，平臺準(zhǔn)備了指導(dǎo)方針、持續(xù)培訓(xùn)和監(jiān)控以減少外部威脅概率。表4顯示在識別過程中收集的O

63、2O服務(wù)數(shù)據(jù)。一般商店使用訂單信息和其中一個預(yù)訂信息來證明用戶是正確的用戶。但是在O2O中，訂單信息在線上公布，只有預(yù)約信息用于認(rèn)證。最后執(zhí)行未經(jīng)授權(quán)的訪問驗證以防止不可預(yù)測的攻擊情形。否則，平臺只能與網(wǎng)頁進(jìn)行連接，因此可以將威脅從線下轉(zhuǎn)移到線上。</p><p>　　表4 識別過程中收集的O2O服務(wù)數(shù)據(jù)</p><p><b>　　3.3.隱私問題</b></

64、p><p>　　關(guān)于隱私問題的一般解決方案是通過只收集必要數(shù)據(jù)或公開常規(guī)數(shù)據(jù)類型來終止不必要的數(shù)據(jù)。但是隨著信息與通信技術(shù)技術(shù)的發(fā)展，新的認(rèn)證正在起步。 O2O的主要過程是消費(fèi)者在線上獲取信息，并將其帶進(jìn)現(xiàn)實世界的商店。圖7解釋了流行的O2O營銷策略——QR碼，NFC。</p><p>　　圖7 O2O營銷策略——QR碼，NFC應(yīng)用</p><p>　　QR碼具有簡單這

65、一優(yōu)勢，減少了很多隱私問題。用戶不必在線打開他們的私人信息。著名的O2O公司KaKao使用其QR碼進(jìn)行通信。如果消費(fèi)者想詢問與主機(jī)的服務(wù)，他只是掃描主機(jī)的QR碼并與他溝通。通過這種溝通，消費(fèi)者可以扣留他們的信息, 如電話號碼、地址等。另外還有關(guān)于3.2線下安全威脅的問題，QR碼可以將認(rèn)證的想法從驗證用戶轉(zhuǎn)為訂單。主機(jī)只需掃描QR碼即可提供服務(wù)。</p><p><b>　　4.結(jié)論</b>&

66、lt;/p><p>　　從傳統(tǒng)的商業(yè)服務(wù)，O2O包括在線上渠道，成為在線連接客戶和主機(jī)的平臺。所以O(shè)2O業(yè)務(wù)覆蓋了線上和線下的安全威脅。目前，O2O被視為電子商務(wù)服務(wù)的最佳實踐商業(yè)模式。雖然O2O業(yè)務(wù)的交易規(guī)模每年都在增加，但對O2O業(yè)務(wù)風(fēng)險和安全威脅的研究不足。在本文中，我們已經(jīng)表明，O2O包括線上和線下安全威脅以及隱私問題。因此，傳統(tǒng)的在線對策并不合適，本文為O2O服務(wù)提供商引入了先進(jìn)的對策。潛在的威脅將會出現(xiàn)且