Document Sample
					                                                       The E-commerce Security Environment: The
                                                       Scope of the Problem
                                                            Overall size of cybercrime unclear; amount of
         Chapter 5                                           losses significant but stable; individuals face
                                                             new risks of fraud
          Online Security and Payment                       FBI’s Internet Crime Complaint Centre (IC3):
                                                                 Processed 200,000+ Internet crime complaints (2006)
           Systems                                               Top 5 categories:
                                                                      Auction fraud – 45%
                                                                      Non-delivery – 19%
                                                                      Cheque fraud –5%
                                                                      Credit/debit card fraud – 5%
                                                                      Computer fraud – 3%

Copyright © 2007 Pearson Education, Inc.   Slide 5-1

The E-commerce Security Environment                    Dimensions of EC Security
                                                            Integrity
                                                               Info. displayed/transmitted has not been altered in any way
                                                            Non-repudiation
                                                               EC participants do not deny their online actions
                                                            Authenticity
                                                               Able to identify the identity of the person/entity that you are
                                                                 dealing with
                                                            Confidentiality
                                                               Data available to those who are authorized
                                                            Privacy
                                                               Able to control the use of info. about oneself
                                                            Availability
                                                               EC site continue to function as intended

                                                                                                                             Slide 5-4

                                                       Security Threats in the E-commerce

                                                            Three key points of vulnerability:
                                                                 Client
                                                                 Server
                                                                 Communications channel

A Typical E-commerce Transaction                                      Vulnerable Points in an EC Environment

SOURCE: Boncella, 2000.                                                SOURCE: Boncella, 2000.

                                                          Slide 5-7                                                                    Slide 5-8

Most Common Security Threats in the                                   Malicious Code
E-commerce Environment                                                    Viruses: Have ability to replicate and spread to other
       Malicious code (viruses, worms, Trojans)                           files; most also deliver a “payload” of some sort
       Unwanted programs (spyware, browser parasites)                     (destructive or benign); include macro viruses, file-
                                                                           infecting viruses, and script viruses
       Phishing/identity theft
       Hacking and cybervandalism
                                                                          Worms: Designed to spread from computer to computer
       Credit card fraud/theft
       Spoofing (pharming)/spam (junk) Web sites
                                                                          Trojan horse: Appears to be benign, but then does
       DoS and dDoS attacks                                               something other than expected
       Sniffing
       Insider attacks                                                   Bots: Can be covertly installed on computer; responds to
       Poorly designed server and client software                         external commands sent by the attacker

                                                          Slide 5-9                                                                   Slide 5-10

Unwanted Programs                                                     Phishing and Identity Theft
                                                                              Phishing: Setting up fake Web sites or sending e-
       Installed without the user’s informed consent                          mail messages that look like legitimate businesses
          Browser parasites: Can monitor and                                  to ask users for confidential personal data.
           change settings of a user’s browser                                Identity theft: Theft of personal Information
                                                                               (social security id, driver’s license or credit card
          Adware: Calls for unwanted pop-up ads
                                                                               numbers) to impersonate someone else
          Spyware: Can be used to obtain
           information, such as a user’s keystrokes,
                                                                              Any deceptive, online attempt by a third party to
           e-mail, IMs, etc.                                                   obtain confidential information for financial gain
                                                                                  Most popular type: e-mail scam letter
                                                                                  One of fastest growing forms of e-commerce crime

                                                         Slide 5-11                                                                   Slide 5-12

                                                                Hacking and Cybervandalism

                                                                    Hacker: Individual who intends to gain
                                                                     unauthorized access to computer systems
                                                                    Cracker: Hacker with criminal intent (two terms
                                                                     often used interchangeably)
                                                                    Cyber-vandalism: Intentionally disrupting,
                                                                     defacing or destroying a Web site
                                                                    Types of hackers include:
                                                                        White hats
                                                                        Black hats
                                                                        Grey hats

                                                                                                                               Slide 5-14

Credit Card Fraud                                               Spoofing (Pharming) and Spam (Junk)
                                                                Web Sites
     Fear that credit card information will be stolen
      deters online purchases                                           Spoofing (Pharming)
                                                                            Misrepresenting oneself by using fake e-mail
     Hackers target credit card files and other
                                                                             addresses or masquerading as someone else
      customer information files on merchant
                                                                            Threatens integrity of site; authenticity
      servers; use stolen data to establish credit
                                                                            Redirecting Web link to address different from
      under false identity                                                   intended one, with site masquerading as
     One solution: New identity verification                                intended destination
      mechanisms                                                        Spam (Junk) Web sites
                                                                            Use domain names similar to legitimate one,
                                                                             redirect traffic to spammer-redirection domains
                                                   Slide 5-15                                                                  Slide 5-16

                                  Spoofing                      DoS and DDoS Attacks

                                                                        Denial of service (DoS) attack
                                                                            Hackers flood Web site with useless traffic to
                                                                             inundate and overwhelm network
                                                                        Distributed denial of service (DDoS) attack
                                                                            Hackers use numerous computers to attack target
                                                                             network from numerous launch points

                                                                                                                               Slide 5-18

                                                               Other Security Threats

                                                                       Sniffing: Type of eavesdropping program that
                                                                        monitors information traveling over a network;
                                                                        enables hackers to steal proprietary
                                                                        information from anywhere on a network
                                                                       Insider jobs: Single largest financial threat
                                                                       Poorly designed server and client software:
                                                                        Increase in complexity of software programs
                                                                        has contributed to increase is vulnerabilities
                                                                        that hackers can exploit

                                                                                                                   Slide 5-20

Technology Solutions                                           Tools Available to Achieve Site Security
                                                               Figure 5.9, Page 279
     Protecting Internet communications
     Securing channels of communication (SSL,
      S-HTTP, VPNs)
     Protecting networks (firewalls)
     Protecting servers and clients

                                                  Slide 5-21                                                       Slide 5-22

Protecting Internet Communications:                            Symmetric Key Encryption
Encryption                                                             Also known as secret key encryption
     Encryption: Process of transforming plain text                   Both the sender and receiver use the same
      or data into cipher text that cannot be read by                   digital key to encrypt and decrypt message
      anyone other than the sender and receiver
                                                                       Requires a different set of keys for each
     Purpose: Secure stored information and                            transaction
      information transmission
                                                                       Advanced Encryption Standard (AES): Most
     Provides:                                                         widely used symmetric key encryption today;
         Message integrity                                             offers 128-, 192-, and 256-bit encryption
         Nonrepudiation                                                keys; other standards use keys with up to
         Authentication                                                2,048 bits
         Confidentiality

                                                  Slide 5-23                                                       Slide 5-24

Public Key Encryption                                           Public Key Cryptography – A Simple Case
        Solves symmetric key encryption problem of
         having to exchange secret key
        Uses two mathematically related digital keys –
         public key (widely disseminated) and private key
         (kept secret by owner)
        Both keys used to encrypt and decrypt message
        Once key used to encrypt message, same key
         cannot be used to decrypt message
        For example, sender uses recipient’s public key
         to encrypt message; recipient uses his/her
         private key to decrypt it
                                                   Slide 5-25                                                                 Slide 5-26

  Public Key Cryptography with Digital
                                                                Digital Envelopes
                                                                      Addresses weaknesses of public key
                                                                       encryption (computationally slow, decreases
                                                                       transmission speed, increases processing
                                                                       time) and symmetric key encryption (faster,
                                                                       but more secure)
                                                                      Uses symmetric key encryption to encrypt
                                                                       document but public key encryption to
                                                                       encrypt and send symmetric key

                                                   Slide 5-27                                                                 Slide 5-28

Public Key Cryptography: Creating a                             Digital Certificates and Public Key
Digital Envelope                                                Infrastructure (PKI)
Figure 5.12, Page 286                                                 Digital certificate includes:
                                                                           Name of subject/company
                                                                           Subject’s public key
                                                                           Digital certificate serial number
                                                                           Expiration date
                                                                           Issuance date
                                                                           Digital signature of certification authority (trusted
                                                                            third party institution) that issues certificate
                                                                           Other identifying information
                                                                      Public Key Infrastructure (PKI): refers to the
                                                                       CAs and digital certificate procedures that are
                                                                       accepted by all parties
                                                   Slide 5-29                                                                 Slide 5-30

                                                                      Limits to Encryption Solutions

                                                                               PKI applies mainly to protecting messages in
                                                                               PKI is not effective against insiders
                                                                               Protection of private keys by individuals may be
                                                                               No guarantee that verifying computer of merchant
                                                                                is secure
                                                                               CAs are unregulated, self-selecting organizations

                                                        Slide 5-31   Copyright © 2007 Pearson Education, Inc.              Slide 5-32

Securing Channels of Communication                                   Secure Negotiated Sessions Using SSL
                                                                      Figure 5.14, Page 291
     Secure Sockets Layer (SSL): Most common form of
      securing channels of communication; used to
      establish a secure negotiated session (client-server
      session in which URL of requested document, along
      with contents, is encrypted)
     S-HTTP: Alternative method; provides a secure
      message-oriented communications protocol designed
      for use in conjunction with HTTP
     Virtual Private Networks (VPNs): Allow remote users
      to securely access internal networks via the Internet,
      using Point-to-Point Tunneling Protocol (PPTP)

                                                        Slide 5-33                                                         Slide 5-34

Protecting Networks: Firewalls and                                   Firewalls and Proxy Servers
Proxy Servers                                                         Figure 5.15, Page 293

     Firewall: Hardware or software filters
      communications packets; prevents some
      packets from entering the network based on a
      security policy
     Firewall methods include:
         Packet filters
         Application gateways
     Proxy servers: Software servers that handle
      all communications originating from or being
      sent to the Internet
                                                        Slide 5-35                                                         Slide 5-36

 Protecting Servers and Clients                                               Developing an E-commerce Security
                                                                              Figure 5.16, Page 295
              Operating system controls: Authentication
               and access control mechanisms
              Anti-virus software: Easiest and least
               expensive way to prevent threats to system

                                                                Slide 5-37                                                              Slide 5-38

 Types of Payment Systems                                                     Cash
                                                                                           Legal tender
              Cash                                                                        Most common form of payment in terms of
              Checking Transfer                                                            number of transactions
              Credit Card                                                                 Instantly convertible into other forms of value
                                                                                            without intermediation
              Stored Value
                                                                                           Portable, requires no authentication
              Accumulating Balance                                                        “Free” (no transaction fee), anonymous, low
                                                                                            cognitive demands
                                                                                           Limitations: easily stolen, limited to smaller
                                                                                            transaction, does not provide any float

                                                                Slide 5-39   Copyright © 2007 Pearson Education, Inc.                   Slide 5-40

 Checking Transfer                                                            Credit Card
              Funds transferred directly via signed draft/check from a                    Represents account that extends credit to
               consumer’s checking account to merchant/ other                               consumers; allows consumers to make
               individual                                                                   payments to multiple vendors at one time
              Most common form of payment in terms of amount spent                        Credit card associations: Nonprofit
              Can be used for small and large transactions                                 associations (Visa, MasterCard) that set
              Some float                                                                   standards for issuing banks
              Not anonymous, requires third-party intervention (banks)                    Issuing banks: Issue cards and process
              Introduces security risks for merchants (forgeries,                          transactions
               stopped payments), so authentication typically required                     Processing centers (clearinghouses): Handle
                                                                                            verification of accounts and balances

Copyright © 2007 Pearson Education, Inc.                        Slide 5-41   Copyright © 2007 Pearson Education, Inc.                   Slide 5-42

 Stored Value                                                         Accumulating Balance

              Accounts created by depositing funds into an                        Accounts that accumulate expenditures and
               account and from which funds are paid out or                         to which consumers make period payments
               withdrawn as needed                                                    Examples: Utility, phone, American

                 Examples: Debit cards, gift certificates,                            Express accounts
                  prepaid cards, smart cards
                 Peer-to-peer payment systems such as

                  PayPal a variation

Copyright © 2007 Pearson Education, Inc.                Slide 5-43   Copyright © 2007 Pearson Education, Inc.                            Slide 5-44

Dimensions of Payment Systems
Table 5.6, Page 305                                                   E-commerce Payment Systems

                                                                                   Credit cards are dominant form of online
                                                                                    payment, accounting for around 70% of
                                                                                    online payments in 2007
                                                                                   Other e-commerce payment systems:
                                                                                         Digital cash
                                                                                         Online stored value systems
                                                                                         Digital accumulating balance payment systems
                                                                                         Digital credit accounts
                                                                                         Digital checking

Copyright © 2007 Pearson Education, Inc.                Slide 5-45   Copyright © 2007 Pearson Education, Inc.                            Slide 5-46

How an Online Credit Transaction Works                                Limitations of Online Credit Card
Figure 5.18, Page 308                                                 Payment Systems
                                                                                   Security: neither merchant nor consumer can
                                                                                    be fully authenticated
                                                                                   Cost: for merchants, around 3.5% of
                                                                                    purchase price plus transaction fee of 20 – 30
                                                                                    cents per transaction
                                                                                   Social equity: many people do not have
                                                                                    access to credit cards

Copyright © 2007 Pearson Education, Inc.                Slide 5-47   Copyright © 2007 Pearson Education, Inc.                            Slide 5-48

 Digital Wallets                                                                  Digital Cash
              Seeks to emulate the functionality of
               traditional wallet                                                              One of the first forms of alternative payment
              Most important functions:                                                        systems
                    Authenticate consumer through use of digital                              Not really “cash”: rather, form of value
                     certificates or other encryption methods
                                                                                                storage and value exchange that has limited
                    Store and transfer value
                                                                                                convertibility into other forms of value, and
                    Secure payment process from consumer to
                     merchant                                                                   requires intermediaries to convert
              Early efforts to popularize have failed                                         Most early examples have disappeared;
              Newest effort: Google Checkout                                                   concepts survive as part of P2P payment

Copyright © 2007 Pearson Education, Inc.                            Slide 5-49   Copyright © 2007 Pearson Education, Inc.                   Slide 5-50

 Online Stored Value Systems                                                      Digital Accumulating Balance Payment
              Permit consumers to make instant, online
                                                                                               Allows users to make micropayments and
               payments to merchants and other individuals
               based on value stored in an online account                                       purchases on the Web, accumulating a debit
                                                                                                balance for which they are billed at the end of
              Rely on value stored in a consumer’s bank,
               checking, or credit card account                                                 the month
              PayPal most successful system                                                   Examples: Valista’s PaymentsPlus,
              Smart cards another example                                                      Clickshare
                 Contact and contactless
                 Mondex, Octopus

Copyright © 2007 Pearson Education, Inc.                            Slide 5-51   Copyright © 2007 Pearson Education, Inc.                   Slide 5-52

 Digital Checking Payment Systems                                                Wireless Payment Systems

              Extends functionality of existing checking                                      Use of mobile handsets as payment devices
               accounts for use as online shopping payment                                      well-established in Europe, Japan, South
               tool                                                                             Korea
              Example: PayByCheck                                                             Not very well established yet in U.S, but with
                                                                                                growth in Wi-Fi and 3G cellular phone
                                                                                                systems, this is beginning to change

Copyright © 2007 Pearson Education, Inc.                            Slide 5-53   Copyright © 2007 Pearson Education, Inc.                   Slide 5-54

 Electronic Billing Presentment and
 Payment (EBPP)
              Online payment systems for monthly bills
              EBPP expected to grow rapidly, to an
               estimated 40% of all households by 2007
              Main business models in EBPP market
                    Biller-direct
                    Consolidator
              Above are supported by EBPP infrastructure

Copyright © 2007 Pearson Education, Inc.                  Slide 5-55


Description: Online security and payment systems.