SECURITY ISSUES
MOHAMMAD ALI JINNAH UNIVERSITY
�The Need for Security
• Data from Computer Security Institute and FBI indicate: – Cyber attacks are on the increase – Internet connections are increasingly a point of attack • The variety of attacks is on the rise • The reporting of serious crimes to law enforcement has declined
e-Banking - Security Issues
2
�Why Now?
• Security systems are only as strong as their weakest points • Security and ease of use (or implementation) are antithetical to one another • Security takes a back seat to market pressures
e-Banking - Security Issues
3
�Why Now?
• Security of an EC site depends on the security of the Internet as a whole • Security vulnerabilities are increasing faster than they can be combated • Security compromised by common applications
e-Banking - Security Issues
4
�Basic Security Issues
Issues at a simple marketing site:
• User’s perspective • Company’s perspective – Is Web server – Will the user attempt owned and to break into the Web operated by server or alter the legitimate site? company? – Will the user try to – Web page and form disrupt the server so it contain some isn’t available to malicious code others? content? – Will Web server distribute the user’s information to another party? e-Banking - Security Issues 5
�Basic Security Issues
•
Issues at a simple marketing site:
– User and company perspective • Is network connection free from eavesdropping? • Has information sent back and forth between server and browser been altered?
e-Banking - Security Issues
6
�Basic Security Issues
• Major security issues in EC – Authentication – Authorization – Auditing – Confidentiality or privacy – Integrity – Availability – Non-repudiation
e-Banking - Security Issues
7
�Security Risk Management
• Required to determine security needs – 4 phases of risk management • Assessment • Planning • Implementation • Monitoring • Definitions involved in risk management – Assets—anything of value worth securing – Threat—eventuality representing danger to an asset – Vulnerability— weakness in a safeguard
e-Banking - Security Issues
8
�Security Risk Management
• Assessment phase—evaluation of assets, threats, vulnerabilities – Determine organizational objectives – Inventory assets – Delineate threats – Identify vulnerabilities – Quantify the value of each risk
e-Banking - Security Issues
9
�Security Risk Management
• Planning phase of risk management—arrive at a set of security policies – Define specific policies – Establish processes for audit and review – Establish an incident response team and contingency plan
e-Banking - Security Issues
10
�Security Risk Management
• Implementation phase of risk management— choose particular technologies to deal with high priority threats • Monitoring phase of risk management— ongoing processes used to determine which measures are successful, unsuccessful and need modification
e-Banking - Security Issues
11
�Types of Threats and Attacks
• Nontechnical vs. technical attacks • Steps in a hacker’s attack – Discover key elements of network – Scan for vulnerabilities – Hack in and gain administrator privileges – Disable auditing & traces from log files – Steal files, modify data, steal source code, etc. – Install back doors, etc to permit undetectable reentry – Return at will to do more damage
e-Banking - Security Issues 12
�Types of Threats and Attacks
• The players – Hackers – Crackers – Script kiddies • Systems and software bugs and misconfigurations
e-Banking - Security Issues
13
�Types of Threats and Attacks
Denial-of-service (DoS) attacks
– IP fragmentation (teardrop, bonk, boink, nestea, and others) – DNS spoofing – – – – Ping of death Smurf attack SYNFlood Buffer overflows
e-Banking - Security Issues
14
�Types of Threats and Attacks
• Input validation attacks • Intercepted transmissions • Malicious code – Viruses – Worms – Macro viruses and macro worms – Trojan horses • Malicious mobile code
e-Banking - Security Issues
15
�Security Technologies
• Firewalls and access control – Firewall—network node that isolates private network from public network • Packet-filtering routers • Application-level proxies • Screened host firewall
e-Banking - Security Issues
16
�Security Technologies
• Virtual private networks (VPNs)—use public Internet to carry information but remains private – Encryption—scramble communications – Authentication—ensure information remains untampered with and comes from legitimate source – Access control—verify identity of anyone using network
e-Banking - Security Issues
17
�Security Technologies
• Protocol tunneling—ensure confidentiality and integrity of data transmitted – Point-to-point tunneling (PTP) – Layer 2 tunneling protocol (L2PT) • Intrusion Detection Systems (IDS)
e-Banking - Security Issues
18
�Security Schemes
Secret Key Cryptography (symmetric)
Keysender (= Keyreceiver) Original Message Sender Scrambled Message Encryption
Keyreceiver Scrambled Message
Internet
Original Message
Decryption Receiver
e-Banking - Security Issues
19
�Security Schemes
Public Key Cryptography
Public Keyreceiver
Message
Original Message Scrambled Message
Private Keyreceiver
Internet
Scrambled Message Original Message
Sender
Private Keysender
Receiver
Public Keysender
Digital Original Signature Message
Sender
Scrambled Message
Internet
e-Banking - Security Issues
Scrambled Message
Original Message
Receiver 20
�Security Schemes
• Digital Signature – Analogous to handwritten signature
Sender encrypts a message with her private key A digital signature is attached by a sender to a message encrypted in the receiver’s public key
Any receiver with senders public key can read it
The receiver is the only one that can read the message and at the same time he is assured that the message was indeed sent by the sender e-Banking - Security Issues 21
�Security Schemes
• Certificate – Identifying the holder of a public key (KeyExchange) – Issued by a trusted certificate authority (CA)
Name : “Richard” key-Exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Expires : 6/18/96 Signed : CA’s Signature
e-Banking - Security Issues
22
�Security Schemes
• Certificate Authority - e.g. VeriSign – – – – Public or private, comes in levels (hierarchy) A trusted third party services Issuer of digital certificates Verifying that a public key indeed belongs to a certain individual
RCA : Root Certificate Authority BCA : Brand Certificate Authority GCA : Geo-political Certificate Authority CCA : Cardholder Certificate Authority MCA : Merchant Certificate Authority PCA : Payment Gateway Certificate Authority
23
RCA BCA GCA CCA
Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office)
MCA PCA Hierarchy of Certificate Authorities e-Banking - Security Issues
�Electronic Credit Card System on the Internet • The process of using credit cards offline
A cardholder requests the issuance of a card brand (like Visa and MasterCard) to an issuer bank in which the cardholder may have an account. A plastic card is physically delivered to the customer’s address by mail. The cardholder shows the card to a merchant to pay a requested amount. Then the merchant asks for approval from the brand company. The acquirer bank requests the issuer bank to pay for the credit amount. The authorization of card issuance by the issuer bank, or its designated brand company, may require customer’s physical visit to an office. The card can be in effect as the cardholder calls the bank for initiation and signs on the back of the card. Upon the approval, the merchant requests payment to the merchant’s acquirer bank, and pays fee for the service. This process is called a “capturing process”
e-Banking - Security Issues 24
�Cardholder
credit card
Merchant
Payment authorization, payment data
Card Brand Company
account debit data payment data payment data
amount transfer
Issuer Bank
Acquirer Bank
Cardholder Account
Merchant Account
e-Banking - Security Issues Credit Card Procedure (offline and online)
25
�SET Vs. SSL
Secure Electronic Transaction (SET) Secure Socket Layer (SSL)
Complex
SET is tailored to the credit card payment to the merchants.
Simple
SSL is a protocol for generalpurpose secure message exchanges (encryption). SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.
e-Banking - Security Issues 26
SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature.
�Five Security Tips
• • • • Don’t reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immediately. Don’t walk away from your computer if you are in the middle of a session. Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites. If anyone else is likely to use your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive. Bank of America strongly recommends that you use a browser with 128-bit encryption to conduct secure financial transactions over the Internet.
•
e-Banking - Security Issues
27
�Managerial Issues
• Security solution providers can cultivate the opportunity of
providing solutions for the secure electronic payment systems
• Electronic payment system solution providers can offer
various types of electronic payment systems to electronic stores and banks
• Electronic stores should select an appropriate set of electronic
payment systems
• Banks need to develop cyberbank services to be compatible with
the various electronic payment system
• Credit card brand companies need to develop an EC standard
like SET, and watch the acceptance by customers
• Smart card brand should develop a business model in
cooperation with application sectors and banks
• Certificate authority needs to identify the types of certificate to
provide
e-Banking - Security Issues
28
© Prentice Hall, 2000
28
�