an investigation into e-commerce frauds and their security implications by kevin boardman...

28
An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Upload: janice-irene-turner

Post on 18-Dec-2015

217 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

An Investigation into E-Commerce Frauds and their Security Implications 

By Kevin Boardman

Supervisor: John Ebden

1 November 2004

Page 2: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

About me

Joint Computer Science and Information Systems Honours.

Interest in computer security and its implications in e-commerce.

Email: [email protected]

Page 3: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Definition of project in one sentence An investigation into e-commerce frauds,

and how they are best avoided by internet merchants.

Page 4: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

The Problem and Background

Page 5: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

What is E-commerce ?

“E-commerce focuses on the electronic exchange of information using information and telecommunications infrastructures to perform a wide range of commercial activities that can be divided into business-to-consumer and business-to-business sectors” - Hutchinson and Warren [2003]

Project focuses on business-to-consumer

Page 6: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Importance of E-Commerce

Electronic commerce is a “strategic imperative for most competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies” - VeriSign [2004]

Page 7: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

E-Commerce statistics General increase in the use of e-commerce around the

world. The number of online banking accounts in South Africa

grew by 28% to 1.04 million in the last year. These figures are expected to increase to 30% in 2004.

17 percent of Americans used online banking services by the end of 2002 and this figure will continue to grow by 14 percent up to the end of 2007.

US Online Retail revenue is projected to increase from $ 47.8 Billion in 2002 to 130.3 billion in 2005

Page 8: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Fraud statistics

Fraud complaints rose by around two-thirds in the US according to the Federal Trade Commission (FTC) from 2001 to 2002.

The cost of fraud in 2002 more than doubled that in 2001.

Page 9: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Fraud statistics (Continued)

Internet Related Frauds reported to Consumer Sentinal from 2001 to 2003

020,00040,00060,00080,000

100,000120,000140,000160,000180,000

2001 2002 2003

Number of reportedfrauds

Page 10: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Result of combination of statistics “Hacker cleans out bank accounts.”

“Hundreds of thousands of rands stolen via Internet from Absa clients.” Who covers the costs? Irreversible damage to Absa’s image.

“New security fears for web banking”

“Major online credit card theft exposed”

Why are these breaches still taking place?

Page 11: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

My Approach1. Identify types of threats, types of attacks, methods of attack and

opportunities for attack in the e-commerce transaction.

2. Identify requirements of secure e-commerce and mechanism used to secure e-commerce.

3. Critically analyse e-commerce security mechanisms

4. Analyse e-commerce fraud case studies

5. Formulate options and recommendations for securing e-commerce.

Page 12: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Threats

Vandalism and sabotage – defacing web site Denial of service – flooding of service Breach of privacy or confidentiality – disclosure of

personal info Theft and fraud – theft and use of credit card number Violations of data integrity – changing of an orders

delivery address Repudiation – denying a transaction took place

Page 13: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Securing E-Commerce

3 Fronts

1. Merchant - System offering service - Web server and OS

- Firewalls, encrypted data stores

2. Transport - Channel between the client and merchant

- Protocols (SSL, SET)

3. Client - System accessing the service - Difficult to secure and control

Page 14: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

E-commerce Security Requirements Four basic security requirements of e-

commerce transactions :1. Authentication – proof of identity

2. Confidentiality – keeping data “secret”

3. Data integrity – Ensuring data doesn’t change while transported by unauthorised entity

4. Non-repudiation - prevents a denial of actions by a person or entity

Page 15: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Mechanisms used to secure e-commerce SSL Payment Protocols Pseudo Card Numbers

Used in combination with: Passwords, Tokens, and Biometrics for

authentication

Page 16: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Secure Socket Layer (SSL)

Provides confidentiality, authentication, and data integrity through the use of PKI.

Resides above the transport layer and below the application layer at the socket layer in the protocol stack.

Most prominent e-commerce protocol

Page 17: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

SSL - Downfalls

Does not provide non-repudiation or facilitate transferring of payments.

Leaves payment details up to merchant. Credit Card details can be read by the

merchant and may be vulnerable to theft if the data store is not encrypted.

Page 18: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Scenario 1

Insecure Merchant

Page 19: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Scenario 2

Illegitimate Merchant

Page 20: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Payment Protocols

Merchant has no need to read credit card details

Guarantee the merchant receives payment Keeps credit card details confidential Eliminates storage of credit card details on

merchants system

Page 21: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Scenario 3

Payment protocol

Page 22: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Secure Electronic Transactions (SET) Technical standard for secure payments

focusing on credit cards Developed by MasterCard and VISA. Failed to be adopted. Why?

Certificate management was cumbersome Comparatively Slow and Expensive to implement. Non portable.

Page 23: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Pseudo credit card numbers

Temporary credit card numbers that are valid for 1 transaction only.

Advantages:No insecure merchant problem.Easy and cost effective to implement –

transparent to merchant.

Page 24: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Pseudo Credit Card Numbers (Cont) Disadvantages

Relatively new and not yet widely adoptedMerchant may have to stop accepting real

credit card numbers.

Page 25: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

CD Universe Case Study

In 1999 hacker broke into CD Universe’s systems stealing 300 000 credit card numbers.

Hacker demanded $100 000 or would release the details publicly.

Demand was not met and the hacker published details allowing the download of 25 000 number by several thousand visitors.

Page 26: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

CD Universe Case Study

Suggested cause of intrusion:Credit cards stored unencrypted (Insecure

Merchant problem)MSNBC follow up found that many e-

commerce site’s credit card databases can be accessed simply by connecting through a SQL Server.

Many have no encryption, or authentication.

Page 27: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Options and Recommendations

Options involving SSL only or SSL along with a client authentication techniques have major weaknesses.

SSL in combination with pseudocard numbers is technically more secure and easy to adopt, but not widely enough adopted.

Payment protocols in combination with client authentication techniques are the most viable and secure methods of securing payment.

Page 28: An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

Questions