ch08-online security and payment systems

E commerceE-commercebusiness. technology. society.Sixth Edition

Montri Wiboonrat, Ph.D.

Chapter 5Chapter 5O li S it d P tOnline Security and Payment Systemsy

Slide 5-2

C b B R liCyberwar Becomes a RealityClass Discussion

What is a DDoS attack?

What are botnets? Why are they used in DDoS attacks?

What percentage of computers belong to botnets? What percentage of spam is sent bybotnets? What percentage of spam is sent by botnets?

Can anything be done to stop DDoS attacks?

Slide 5-3

The E-commerce Security Environment

ll i d l f b i lOverall size and losses of cybercrime unclearReporting issuesp g

2008 CSI survey: 49% respondent firms d t t d it b h i l tdetected security breach in last year

Of those that shared numbers, average loss $288,000

Underground economy marketplaceStolen information stored on underground economy servers

Slide 5-4

Types of Attacks Against ComputerSystems (Cybercrime)

Figure 5.1, Page 267

Slide 5-5

Figure 5.1, Page 267Source: Based on data from Computer

Security Institute, 2009.

What Is Good E-commerce Security?

To achieve highest degree of securityNew technologiesNew technologies

Organizational policies and procedures

Industry standards and government laws

Oth f tOther factorsTime value of moneyy

Cost of security vs. potential loss

Security often breaks at weakest linkSlide 5-6

The E-commerce Security Environment


Slide 5-7

Copyright © 2010 Pearson Table 5.2, Page 271

Slide 5-8

The Tension Between Security and Other Values

Security vs. ease of use

The more security measures added, the more difficult a site is to use and the slower it becomesdifficult a site is to use, and the slower it becomes

Security vs desire of individuals to actSecurity vs. desire of individuals to act anonymously

Use of technology by criminals to plan crimes or threaten nation‐statethreaten nation state

Slide 5-9

Security Threats in the E-commerce Environment

Three key points of vulnerability:y p y

1. Client

2. Server

3. Communications pipelinep p

Slide 5-10

Security Software

Slide 5-11

A Typical E-commerce Transaction


Slide 5-12

SOURCE: Boncella, 2000.

Vulnerable Points in an E-commerce Environment


Slide 5-13

SOURCE: Boncella, 2000.

Most Common Security Threats in the E-commerce Environment

Malicious codeVirusesWormsTrojan horsesBots, botnets

Unwanted programs Browser parasitesBrowser parasitesAdwareSpywareSpyware

Slide 5-14

Most Common Security Threats

PhishingDeceptive online attempt to obtain confidential information

Social engineering, e‐mail scams, spoofing legitimate Web sites

Use information to commit fraudulent acts (access checkingUse information to commit fraudulent acts (access checking accounts), steal identity

Hacking and cybervandalismHacking and cybervandalismHackers vs. crackers

Cybervandalism: intentionally disrupting defacing destroying WebCybervandalism: intentionally disrupting, defacing, destroying Web site

Types of hackers: white hats, black hats, grey hats

Slide 5-15


Credit card fraud/theftFear of stolen credit card information deters online purchases

Hackers target merchant servers; use data to establish credit under false identity

Online companies at higher risk than offline

Spoofing: misrepresenting self by using fake e‐mail address

Pharming: spoofing a Web siteRedirecting a Web link to a new fake Web siteRedirecting a Web link to a new, fake Web site

Spam/junk Web sites

lSplogs

Slide 5-16


Denial of service (DoS) attackHackers flood site with useless traffic to overwhelm network

Distributed denial of service (DDoS) attackHackers use multiple computers to attack target network

SniffingEavesdropping program that monitors information traveling over a network

Insider jobsjSingle largest financial threat

Poorly designed server and client softwarePoorly designed server and client software

Slide 5-17

Technology Solutions

Protecting Internet communications (encryption)(encryption)

Securing channels of communication g(SSL, S‐HTTP, VPNs)

Protecting networks (firewalls)

Protecting servers and clients

Slide 5-18

Tools Available to Achieve Site SecurityTools Available to Achieve Site Security

Slide 5-19

Encryption

iEncryptionTransforms data into cipher text readable only by sender and receiverSecures stored information and information transmissionProvides 4 of 6 key dimensions of e‐commerce security: 1. Message integrity2 Nonrepudiation2. Nonrepudiation3. Authentication4. Confidentiality

Slide 5-20

Symmetric Key Encryption

S d d i di i l kSender and receiver use same digital key to encrypt and decrypt message

Requires different set of keys for each transaction

Strength of encryptionStrength of encryption

Length of binary key used to encrypt data

Advanced Encryption Standard (AES)

Most idel sed s mmetric ke encr ptionMost widely used symmetric key encryption

Uses 128‐, 192‐, and 256‐bit encryption keys

Other standards use keys with up to 2,048 bitsSlide 5-21

Public Key Encryption

U h i ll l d di i l kUses two mathematically related digital keys

1. Public key (widely disseminated)

2. Private key (kept secret by owner)

h k d d dBoth keys used to encrypt and decrypt message

Once key used to encrypt message, same key y yp g , ycannot be used to decrypt message

Sender uses recipient’s public key to encryptSender uses recipient s public key to encrypt message; recipient uses his/her private key to decrypt itdecrypt it

Slide 5-22

P bli K C t h A Si l CPublic Key Cryptography—A Simple Case


Slide 5-23

Public Key Encryption Using Digital Signatures and Hash Digests

Hash function:Mathematical algorithm that produces fixed‐length number calledMathematical algorithm that produces fixed length number called message or hash digest

Hash digest of message sent to recipient along with g g p gmessage to verify integrityHash digest and message encrypted with recipient’sHash digest and message encrypted with recipient s public keyEntire cipher text then encrypted with recipient’sEntire cipher text then encrypted with recipient s private key—creating digital signature—for authenticity nonrepudiationauthenticity, nonrepudiation

Slide 5-24

P bli K C t h ith Di it l Si tPublic Key Cryptography with Digital Signatures


Slide 5-25

Digital Envelopes

Addresses weaknesses of:Public key encryption

Computationally slow, decreased transmission speed, increased processing time

Symmetric key encryptionInsecure transmission lines

Uses symmetric key encryption to encrypt document

Uses public key encryption to encrypt and send symmetric key

Slide 5-26

Creating a Digital Envelope


Slide 5-27

Digital Certificates and Public Key Infrastructure (PKI)

Digital certificate includes:Name of subject/companyName of subject/companySubject’s public keyDigital certificate serial numberDigital certificate serial numberExpiration date, issuance dateDigital signature of certification authority (trusted third g g y (party institution) that issues certificate

Public Key Infrastructure (PKI):Public Key Infrastructure (PKI): CAs and digital certificate procedures that are accepted by all partiesp

Slide 5-28

Digital Certificates and Certification Authorities

Figure 5.11, 4

Slide 5-29

Limits to Encryption Solutions

Doesn’t protect storage of private keyPKI not effective against insiders, employeesg , p yProtection of private keys by individuals may be haphazardhaphazard

No guarantee that verifying computer of h t imerchant is secure

CAs are unregulated, self‐selecting g gorganizations

Slide 5-30

Insight on SocietyInsight on Society

In Pursuit of E-mail SecurityClass DiscussionClass Discussion

What are some of the current risks and problems with pusing e‐mail?

What are some of the technology solutions that haveWhat are some of the technology solutions that have been developed?

A th l ti tibl ith d l ?Are these solutions compatible with modern law?

Consider the benefits of a thorough business record retention policy. Do you agree that these benefits are worth giving up some control of your e‐mail?

Slide 5-31

Securing Channels of Communication

k ( )Secure Sockets Layer (SSL): Establishes a secure, negotiated client‐server session i hi h URL f t d d t l ithin which URL of requested document, along with contents, is encrypted

S‐HTTP: Provides a secure message‐oriented communications

l d i d f i j i i h HTTPprotocol designed for use in conjunction with HTTP

Virtual Private Network (VPN): ( )Allows remote users to securely access internal network via the Internet, using Point‐to‐Point

l l (Tunneling Protocol (PPTP)

Slide 5-32

Secure Negotiated Sessions Using SSL


Slide 5-33

Protecting Networks

i llFirewallHardware or software that filters packetspPrevents some packets from entering the network based on security policynetwork based on security policyTwo main methods:

P k fil1. Packet filters

2. Application gateways

Proxy servers (proxies)Software servers that handle all communicationsSoftware servers that handle all communications originating from or being sent to the Internet

Slide 5-34

Firewalls and Proxy Servers


Slide 5-35

Protecting Servers and Clients

Operating system security enhancements

U d t hUpgrades, patches

i i fAnti‐virus software

Easiest and least expensive way to preventEasiest and least expensive way to prevent threats to system integrity

Requires daily updates

Slide 5-36

Management Policies, Business Procedures, and Public Laws,

U.S. firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in 2009)services ($120 billion in 2009)

Managing risk includes

Technology

Effective management policies

Public laws and active enforcementPublic laws and active enforcement

Slide 5-37

A Security Plan: Management Policies

Risk assessment

Security policySecurity policy

Implementation planSecurity organization

Access controlsAccess controls

Authentication procedures, including biometrics

Authorization policies, authorization management systems

Security auditSecurity audit

Slide 5-38

Developing an E-commerce Security Plan


Slide 5-39

Insight on TechnologyInsight on Technology

Securing Your Information: Cleversafe Hippie StorageCleversafe Hippie Storage

Class Discussion

What is LOCKSS? What are the advantages and disadvantages to LOCKSS?

How is Cleversafe’s storage method different? H d it k?How does it work?

Why is it accurate to say that Cleversafe’s y ymethod is “green” or “hippie storage”?

Slide 5-40

The Role of Laws and Public Policy

L h i h i i l f id if iLaws that give authorities tools for identifying, tracing, prosecuting cybercriminals:

N ti l I f ti I f t t P t ti A t f 1996National Information Infrastructure Protection Act of 1996USA Patriot ActHomeland Security Acty

Private and private–public cooperationCERT Coordination CenterC Coo d at o Ce teUS‐CERT

Government policies and controls on encryptionGovernment policies and controls on encryption softwareOECD guidelinesOECD guidelines

Slide 5-41

Types of Payment Systems

CashMost common form of payment in terms of number of transactionstransactionsInstantly convertible into other forms of value without intermediation

Checking transferSecond most common payment form in the United StatesSecond most common payment form in the United States in terms of number of transactions

Credit cardCredit cardCredit card associationsIssuing banksgProcessing centers

Slide 5-42

Types of Payment Systems

Stored ValueFunds deposited into account, from which funds are paid Funds deposited into account, from which funds are paidout or withdrawn as needed, e.g., debit cards, gift certificates

Peer‐to‐peer payment systems

Accumulating BalanceAccumulating BalanceAccounts that accumulate expenditures and to which

k dconsumers make period payments

E.g., utility, phone, American Express accounts

Slide 5-43

Table 5.6, Page 312Source: Adapted from MacKie‐Mason and White, 1996.

Slide 5-44

E-commerce Payment Systems

Credit cards55% of online payments in 200955% of online payments in 2009

Debit cards28% of online payments in 2009

Limitations of online credit card paymentLimitations of online credit card paymentSecurityCCostSocial equity

Slide 5-45

How an Online Credit Transaction Works


Slide 5-46


Digital walletsEmulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchant

l ff l i f il dEarly efforts to popularize failed

Newest effort: Google Checkout

Digital cashValue storage and exchange using tokensValue storage and exchange using tokens

Most early examples have disappeared; protocols and practices too complex

Slide 5-47


li d lOnline stored value systemsBased on value stored in a consumer’s bank, checking, or

dit d tcredit card accountPayPal, smart cards

Digital accumulated balance paymentUsers accumulate a debit balance for which they are billed yat the end of the month

Digital checking:Digital checking:Extends functionality of existing checking accounts for use onlineonline

Slide 5-48

Wireless Payment Systems

Use of mobile handsets as payment devices well‐established in Europe, Japan, South Korea

Japanese mobile payment systemsE money (stored value)E‐money (stored value)

Mobile debit cards

Mobile credit cards

Not as well established yet in the United StatesyMajority of purchases are digital content for use on cell phonephone

Slide 5-49

Insight on BusinessInsight on Business

Mobile Payment’s Future: Wavepayme, TextpaymeWavepayme, Textpayme

Group Discussion

What technologies make mobile payment more feasible now than in the past?Describe some new experiments that are helping to develop mobile payment systemshelping to develop mobile payment systems.How has PayPal responded?Why haven’t mobile payment systems grown faster? What factors will spur their growth?faster? What factors will spur their growth?

Slide 5-50

Electronic Billing Presentment and Payment (EBPP)y ( )

Online payment systems for monthly bills

40% + of households in 2009 used some EBPP; expected to grow significantlyEBPP; expected to grow significantly

Two competing EBPP business models:1. Biller‐direct (dominant model)2. Consolidator. Consolidator

Both models are supported by EBPP i f t t idinfrastructure providers

Slide 5-51

ch08-online security and payment systems

Documents