06 - E-commerceSecurityand PaymentSystems

E-commerce 2014
business. technology. society.

tenth edition
Kenneth C. Laudon
Carol Guercio Traver
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Chapter 5
E-commerce Security and
Payment Systems
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Class Discussion
Cyberwar: MAD 2.0

n What is the difference between hacking and
cyberwar?
n Why has cyberwar become more potentially
devastating in the past decade?
n Why has Google been the target of so many
cyberattacks?
n Is it possible to find a political solution to
MAD 2.0?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-3
The E-commerce Security Environment
Figure 5.1, Page 252
Dimensions of E-commerce Security
n Integrity ensures that info sent and received has not
been altered by unauthorized party
n Nonrepudiation ability to ensure that participants do
not deny (repudiate) their online actions
n Authenticity ability to identify the person’s identity
with whom you are dealing with over the internet
n Confidentiality authorized to be seen by those who
should view it
n Privacy ability to control who sees your info
n Availability e-commerce site functions as intended
Table 5.3, Page 254
The Tension Between Security and Other Values
n Ease of use
v The more security measures added, the more
difficult a site is to use, and the slower it
becomes
v Security costs money and too much of it can
reduce profitability
n Public safety and criminal uses of the
Internet
v Use of technology by criminals to plan crimes or
threaten nation-state
Security Threats in E-commerce Environment
n Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet

communications channels)
A Typical E-commerce Transaction
Vulnerable Points in an E-commerce
Transaction
Most Common Security Threats in the
E-commerce Environment
n Malicious code (malware, exploits)
v Drive-by downloads malware that comes with a
downloaded file the user intentionally or
unintentionally request
v Viruses
v Worms spread from computer to comp without human
intervention
v Ransomware (scareware) used to solicit money from
users by locking up your browser or files and displaying
fake notices from FBI or IRS etc
v Trojan horses appear benign but is a way to introduce
viruses into a computer system
v Threats at both client and server levels Slide 5-11
Most Common Security Threats in the
E-commerce Environment
n Malicious code (malware, exploits)
v Backdoors introduce viruses, worms, etc. that allow an
attacker to remotely access a computer
v Botnets are a collection of captured bot computers or
zombies used to send spam, DDoS attacks, steal
information from computers, and store network traffic
for later analysis.
v Bots, as in robots, are malicious code that can be
covertly installed on a computer when connected to the
internet. Once installed, they respond to external
commands from the attacker
Most Common Security Threats (cont.)
n Potentially unwanted programs (PUPs)
v Example Vista antispyware 2013 infects computers running Vista
v Browser parasites changes your computer settings
v Adware displays calls for pop-up ads when you visit sites
v Spyware may be used to obtain information such as keystrokes,
email, IM etc.
n Phishing
v Social engineering relies on human curiosity, greed, and gullibility
to trick users into taking action that results into downloading
malware
v E-mail scams
v Spear-phishing spear phishing messages appear to come from a
trusted source
v Identity fraud/theft
n Hacking
v Hackers gain unauthorized access
n White hat role is to help identify and fix
vulnerabilities
n Black hat intent on causing hard
n Grey hat breaks in to expose flaws and report them
without disrupting the company. They may even try
to profit from the event
v Crackers have criminal intent
v Hacktivist are politically motivated (Green Peace)
n Cybervandalism:
v Disrupting, defacing, destroying Web site
n Data breach
v Losing control over corporate information to
outsiders
Insight on Business: Class Discussion
We Are Legion
n What organization and technical failures
led to the data breach on the
PlayStation Network?
n Are there any positive social benefits of
hacktivism?
n Have you or anyone you know
experienced data breaches or
cybervandalism?
n Credit card fraud/theft
n Spoofing involves attempting to hide a true identity
by using someone else’s email or IP address
n Pharming automatically directing a web link to a fake
address
n Spam (junk) Web sites (link farms) promise to offer
products but are just full of ads
n Identity fraud/theft involves unauthorized/illegal
use of another person’s data
n Denial of service (DoS) attack Hackers flood site with
useless traffic to overwhelm network
n Denial of service (DoS) attack Hackers flood site with
useless traffic to overwhelm network
n Distributed denial of service (DDoS) attack uses
numerous computers to launch attacks on sites or
computers systems. The attack comes from several
locations
n Sniffing, a sniffer is a type of eavesdropping program
that monitors information traveling over a network
n Insider attacks caused by employees
n Poorly designed server and client software leads to SQL
injection attacks by taking advantage of poorly coded
applications that fails to validate data entered by web users
n Zero-Day vulnerability software vulnerability that is reported
or unreported but no current fix exists
n Social network security issues like forgetting to log out,
connecting with strangers, exposing too much information
n Mobile platform security issues
v Vishing works like phishing but does not always occur
over the Internet and is carried out using voice
technology. A vishing attack can be conducted by voice
email, VoIP (voice over IP), or landline or cellular
telephone.
v Smishing exploits SMS/text messages that may contain
links and other personal info that may be exploited
v Madware is innocent looking apps containing adware
that launches pop-up ads and text messages on you
mobile device (mobile + adware = madware)
n Cloud security issues example, DDoS attacks threaten the
availability and viability of cloud services
Insight on Technology: Class Discussion
Think Your Smartphone Is Secure?

n What types of threats do smartphones face?
n Are there any particular vulnerabilities to this
type of device?
n Are apps more or less likely to be subject to
threats than traditional PC software
programs?
Technology Solutions
n Protecting Internet communications
v Encryption altering plain text so that it cannot be read
by anyone other than the sender & receiver
v It provides security for 4 of 6 security dimensions
n Integrity by ensuring the messages has not been
tampered with
n Nonrepudiation by preventing users from denying
they sent the message
n Authentication by verifying the person’s identity or
computer sending the message
n Confidentiality by ensuring the message was not
read by others
Types of Encryption
n Cipher is disguised way of writing; a code where
letters of the message are replaced systematically by
another letter
n Transportation cipher ordering the letters in some
systematic way e.g., reverse order, or 2 letters ahead
n Symmetric key both sender and receiver use the
same key to encrypt and decrypt the message. The
key is sent over a secure line or exchanged in person
n Data Encryption Stds developed by IBM and NSA;
now we have 128, 192, and 256 bit encryption
v Google coming out with 2048 bit keys
Symmetric Key Encryption
n Sender and receiver use same digital key to encrypt and
decrypt message
v Requires sophisticated mechanisms to securely
distribute the secret-key to both parties
n Requires different set of keys for each transaction
n Strength of encryption
v Length of binary key used to encrypt data
n Data Encryption Standard (DES)
n Advanced Encryption Standard (AES)
v Most widely used symmetric key encryption
v Uses 128, 192, and 256-bit encryption keys
n Other standards use keys with up to 2,048 bits
Common ways of Sending of Keys
n The establishment of symmetric keys can be performed in
several ways:
n Authenticated Key Agreement (KA) is the ability to construct a key, agree
on it, and then validate it.
n Sending of an (authenticated) encrypted key, also known as key wrapping
n Derivation from a base key using a Key Derivation Function (KDF), using
other data as input, for instance a unique number. If derivation is used
for multiple devices it is often called key diversification.
n Ways to send or exchange keys,
v by a previous telephone call
v sending a letter
v meeting in a pub (handing over a USB stick or other data carrier)
n Creating a key from key parts held by different persons
Public Key Encryption using Digital Signatures
and Hash Digests
n Hash function is any function that can be used to map
data of arbitrary size to data of fixed size. The values
returned by a hash function are called hash values, hash
codes, digests, or simply hashes. The output is often
shorter than the input.
n Hash digest of message is sent to recipient along with a
message to verify integrity
n Hash digest and message encrypted with recipient’s
public key
n Example of hash algorithm: http://www.metamorphosite.com/one-way-
hash-encryption-sha1-data-software
Public Key Encryption using Digital Signatures
and Hash Digests
n Entire cipher text is then encrypted with
recipient’s private key — creating digital
signature — for authenticity, nonrepudiation
n digital signature is a type of electronic
signature that encrypts documents with
digital codes that are particularly difficult to
duplicate
n Example of WEP generator:
http://www.andrewscompanies.com/tools/wep.asp
Hashing
n Possible two different hash functions generate identical
hash values but extremely unlikely
For example, in Java, the hash code is a 32-bit integer.
Types of Encryption
n Public Key there are two mathematically related keys,
a public key and private key. Private key kept secretly
by owner and public key disseminated to the public.
Both keys are used to encrypt and decrypt the
message. Once the keys are used, they can no longer
be used to unencrypt the message. They are one-way
irreversible functions.
n Hash function creates a fixed length number that
replaces the original message, then the hash is used to
recreate the message on the recipient side (fig 5.7)
n Digital signature is a signed cipher text sent over the
internet
Types of Encryption
n Digital envelope uses symmetric encryption for large
docs
n Digital certificate (DC) issues by trusted 3rd party
known as certification authority that contains (the
subject name, public key, digital cert serial #, exp date,
issuance date and digital signature)
v There are various types of certs (personal, institutional, web server,
software publ, and Certificate Authority (CA))
v Verisign, post office, Fed Reserve issue certs
n Key infrastructure (PKI) when you sign into a secure
site you see the “s” or the lock which means the site
has a digital certificate issued by a CA
n Securing channels of communication
v Secure Socket Layer; a secure negotiated
session is a client server session in which the
URL of the requested doc, its contents, and
cookies are encrypted through a series of
communication handshakes between
computers. A unique symmetric encryption
session key is chosen for each session
v VPNs allow computers to securely communicate
via tunneling by adding invisible encrypted
wrappers around messages to hide their
contents
Slide 5-31
n Protecting networks
v Firewalls are hard/software that filters comm
packets and prevent unauthorized access
v They filter traffic based on packets, IP address,
type of service http, www, domain name etc
v 2 Ways to validate traffic
n Packet filters examine whether they are destined for
a prohibited port or originate from one
n App gateway filters traffic based on the app being
requested
n Proxy servers are software servers that
handle comm by acting as a spokesperson and
body guard for the organization. To local
computers, proxy servers are known as a
gateway, but to external servers known as
mail server. Proxy servers sit betw users and
back end systems. They may be used to
restrict access by employees.
vProtecting networks
Slide 5-33
vProtecting networks
n Intrusion detection systems IDS monitor
traffic looking for patterns or preconfigured
rules that may indicate an attack
n IPS (prevention) prevents attacks by taking
action to block the attack
Tools Available to Achieve Site Security
Public Key Cryptography: A Simple Case
Public Key Cryptography with Digital
Signatures
Creating a Digital Envelope
Digital Certificates and Certification
Authorities
Limits to Encryption Solutions
n Doesn’t protect storage of private key
v PKI not effective against insiders, employees
v Protection of private keys by individuals may be
haphazard
n No guarantee that verifying computer of
merchant is secure
n CAs are unregulated, self-selecting
organizations
Secure Negotiated Sessions Using SSL/TLS
Firewalls and Proxy Servers
Protecting Servers and Clients
n Operating system security
enhancements
v Upgrades, patches
n Anti-virus software
v Easiest and least expensive way to prevent
threats to system integrity
v Requires daily updates
Management Policies, Business
Procedures, and Public Laws
n Worldwide, companies spend more
than $65 billion on security hardware,
software, services
n Managing risk includes:
v Technology
v Effective management policies
v Public laws and active enforcement
A Security Plan: Management Policies
n Risk assessment
n Security policy
n Implementation plan
v Security organization
v Access controls
v Authentication procedures, including biometrics
v Authorization policies, authorization management
systems
n Security audit provides ability to audit access
logs for security breaches and unauthorized
use
Developing an E-commerce Security Plan
The Role of Laws and Public Policy
n Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
v National Information Infrastructure Protection Act of 1996
v USA Patriot Act
v Homeland Security Act
n Private and private-public cooperation
v Community Emergency Response Team (CERT) Coordination
Center
v US-Computer Emergency Response Team (US-CERT)
n Government policies and controls on encryption
software
v OECD, G7/G8, Council of Europe, Wassener Arrangement
Types of Payment Systems
n Cash
v Most common form of payment
v Instantly convertible into other forms of value
v No float
n Checking transfer
v Second most common payment form in United States
n Credit card
v Credit card associations (VISA, Mastercard)
v Issuing banks
v Processing centers are clearing houses.
Types of Payment Systems (cont.)
n Stored value
v Funds deposited into account, from which funds
are paid out or withdrawn as needed (PayPal)
v Debit cards, gift certificates
v Peer-to-peer payment systems (PayPal)
n Accumulating balance
v Accounts that accumulate expenditures and to
which consumers make period payments
v Utility, phone, American Express accounts
Payment System Stakeholders
n Consumers
v Low-risk, low-cost, refutable, convenience, reliability
n Merchants
v Low-risk, low-cost, irrefutable, secure, reliable
n Financial intermediaries
v Secure, low-risk, maximizing profit
n Government regulators
v Security, trust, protecting participants and enforcing
reporting
E-commerce Payment Systems
n Credit cards
v 42% of online payments in 2013 (United States)
n Debit cards
v 29% online payments in 2013 (United States)
n Limitations of online credit card

payment
v Security, merchant risk
v Cost
v Social equity
How an Online Credit Transaction Works
Alternative Online Payment Systems
n Online stored value systems:
v Based on value stored in a consumer’s bank,
checking, or credit card account
v Example: PayPal
n Other alternatives:
v Amazon Payments
v Google Checkout
v Bill Me Later
v WUPay, Dwolla, Stripe
Mobile Payment Systems
n Use of mobile phones as payment devices
established in Europe, Japan, South Korea
n Near field communication (NFC)
v Short-range (2”) wireless for sharing data between
devices
n Expanding in United States
v Google Wallet
n Mobile app designed to work with NFC chips
v PayPal
v Square
Digital Cash and Virtual Currencies
n Digital cash
v Based on algorithm that generates unique
tokens that can be used in “real” world
v Example: Bitcoin
n Virtual currencies
v Circulate within internal virtual world
v Example: Linden Dollars in the virtual world
called Second Life, Facebook Credits
Insight on Society: Class Discussion
Bitcoin
n What are some of the benefits of using a
digital currency?
n What are the risks involved to the user?
n What are the political and economic
repercussions of a digital currency?
n Have you or anyone you know ever used
Bitcoin?
Electronic Billing Presentment and
Payment (EBPP)
n Online payment systems for monthly bills
n 50% of all bill payments
n Two competing EBPP business models:
v Biller-direct (dominant model)
v Consolidator or 3rd party like your bank
n Both models are supported by EBPP

infrastructure providers

06 - E-commerceSecurityand PaymentSystems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - E-commerceSecurityand PaymentSystems

Uploaded by

Copyright:

Available Formats

E-commerce 2014

business. technology. society.

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Cyberwar: MAD 2.0

Figure 5.1, Page 252

3. Communications pipeline (Internet

Figure 5.2, Page 256

Figure 5.3, Page 257

Think Your Smartphone Is Secure?

For example, in Java, the hash code is a 32-bit integer.

Figure 5.5, Page 276

Figure 5.6, Page 279

Figure 5.7, Page 281

Figure 5.8, Page 282

Figure 5.9, Page 283

Figure 5.10, Page 286

Figure 5.11, Page 289

Figure 5.12, Page 291

n Limitations of online credit card

Figure 5.15, Page 302

n Both models are supported by EBPP

You might also like