electronic transaction security (e-commerce)

ELECTRONIC TRANSACTION SECURITY

(E-COMMERCE)By Joel Milazzo

E-Commerce Electronic Commerce - the buying and

selling of products or services over electronic systems.

Common Sites:

Public-key Encryption Public Key Encryption – Uses a pair of

asymmetric keys for encryption and decryption

Public Key which is made public by distributing it widely.

Private Key is never distributed, kept secret.

Public-Key Encryption Basics

Secure Sockets Layer(SSL) SSL – Protocol that uses the

implementation of Public-Key encryption to provide security for communications over networks such as the internet.

Originally developed by Netscape, it is used by internet browsers and web servers to transmit sensitive information.

Successor Transport Layer Security(TLS)

SSL/TLS in Action Create a “Certificate” Third party company such as Thawte is

used to prove the identity of the company, the company is now given a new public key that has additional information.

This information is the third parties certification that the public key is verified and specific to the company. This information is encrypted with the third parties private key.

SSL/TLS in Action Connect to the company website, which

is directed to a special port on the website that is set up for SSL/TLS communications only.

Company sends back its public key (which has additional information)

Client then uses the public key of the third party(which are stored in browser) to decrypt the key.

Decision…

Are you secure? Few ways to find out if you are using a

secure protocol simply by viewing your browser.

Represents Encryption

Secure Connection

How it is used in e-commerce

1.Customer places order 2.Customer’s browser confirms merchant3.Browser sends the order information, this message is encrypted with the merchant’s public key. Payment information is encrypted with the bank’s public key.4.Merchant verifies the customer5.Merchant sends order information to bank

How it is used in e-commerce cont.

6. Bank verifies the merchant and the information of the consumer.7. The bank authorizes the transaction to the merchant who can then fill the order.

One Time Session To ensure security each transaction

session is given a combination of a symmetric and public keys.

Upon leaving the session or breaking connection for any reason you must start the session over with a new symmetric key.

3-D Secure Stands for Three Domain Secure XML based protocol used as a security

precaution for online credit and debit card transactions.

Developed by Visa in order to improve security and has since been adopted by other card companies such as MasterCard and JCB International.

What does it do? Tie the financial authorization process

with the idea of individual online authentication.

Previously no way to identify if the legitimate cardholder was entering the card details.

Adds another step for online payments to safe guard bank accounts.

Added Protection Cardholder answers a series

of one time security questions by their bank which only the card issuer and cardholder will ever know.

Select a password and a secret phrase which will now be used during online transactions.

During the checkout process the 3-D Secure of the card issuer(Visa, MasterCard, etc) will redirect the user to the website of the bank to authorize the transaction.