E commerceE-commercebusiness. technology. society.Sixth Edition
Montri Wiboonrat, Ph.D.
Chapter 5Chapter 5O li S it d P tOnline Security and Payment Systemsy
Slide 5-2
C b B R liCyberwar Becomes a RealityClass Discussion
What is a DDoS attack?
What are botnets? Why are they used in DDoS attacks?
What percentage of computers belong to botnets? What percentage of spam is sent bybotnets? What percentage of spam is sent by botnets?
Can anything be done to stop DDoS attacks?
Slide 5-3
The E-commerce Security Environment
ll i d l f b i lOverall size and losses of cybercrime unclearReporting issuesp g
2008 CSI survey: 49% respondent firms d t t d it b h i l tdetected security breach in last year
Of those that shared numbers, average loss $288,000
Underground economy marketplaceStolen information stored on underground economy servers
Slide 5-4
Types of Attacks Against ComputerSystems (Cybercrime)
Figure 5.1, Page 267
Slide 5-5
Figure 5.1, Page 267Source: Based on data from Computer
Security Institute, 2009.
What Is Good E-commerce Security?
To achieve highest degree of securityNew technologiesNew technologies
Organizational policies and procedures
Industry standards and government laws
Oth f tOther factorsTime value of moneyy
Cost of security vs. potential loss
Security often breaks at weakest linkSlide 5-6
The E-commerce Security Environment
Figure 5.2, Page 270
Slide 5-7
Copyright © 2010 Pearson Table 5.2, Page 271
Slide 5-8
The Tension Between Security and Other Values
Security vs. ease of use
The more security measures added, the more difficult a site is to use and the slower it becomesdifficult a site is to use, and the slower it becomes
Security vs desire of individuals to actSecurity vs. desire of individuals to act anonymously
Use of technology by criminals to plan crimes or threaten nation‐statethreaten nation state
Slide 5-9
Security Threats in the E-commerce Environment
Three key points of vulnerability:y p y
1. Client
2. Server
3. Communications pipelinep p
Slide 5-10
Security Software
Slide 5-11
A Typical E-commerce Transaction
Figure 5.3, Page 273
Slide 5-12
SOURCE: Boncella, 2000.
Vulnerable Points in an E-commerce Environment
Figure 5.4, Page 274
Slide 5-13
SOURCE: Boncella, 2000.
Most Common Security Threats in the E-commerce Environment
Malicious codeVirusesWormsTrojan horsesBots, botnets
Unwanted programs Browser parasitesBrowser parasitesAdwareSpywareSpyware
Slide 5-14
Most Common Security Threats
PhishingDeceptive online attempt to obtain confidential information
Social engineering, e‐mail scams, spoofing legitimate Web sites
Use information to commit fraudulent acts (access checkingUse information to commit fraudulent acts (access checking accounts), steal identity
Hacking and cybervandalismHacking and cybervandalismHackers vs. crackers
Cybervandalism: intentionally disrupting defacing destroying WebCybervandalism: intentionally disrupting, defacing, destroying Web site
Types of hackers: white hats, black hats, grey hats
Slide 5-15
Most Common Security Threats
Credit card fraud/theftFear of stolen credit card information deters online purchases
Hackers target merchant servers; use data to establish credit under false identity
Online companies at higher risk than offline
Spoofing: misrepresenting self by using fake e‐mail address
Pharming: spoofing a Web siteRedirecting a Web link to a new fake Web siteRedirecting a Web link to a new, fake Web site
Spam/junk Web sites
lSplogs
Slide 5-16
Most Common Security Threats
Denial of service (DoS) attackHackers flood site with useless traffic to overwhelm network
Distributed denial of service (DDoS) attackHackers use multiple computers to attack target network
SniffingEavesdropping program that monitors information traveling over a network
Insider jobsjSingle largest financial threat
Poorly designed server and client softwarePoorly designed server and client software
Slide 5-17
Technology Solutions
Protecting Internet communications (encryption)(encryption)
Securing channels of communication g(SSL, S‐HTTP, VPNs)
Protecting networks (firewalls)
Protecting servers and clients
Slide 5-18
Tools Available to Achieve Site SecurityTools Available to Achieve Site Security
Slide 5-19
Encryption
iEncryptionTransforms data into cipher text readable only by sender and receiverSecures stored information and information transmissionProvides 4 of 6 key dimensions of e‐commerce security: 1. Message integrity2 Nonrepudiation2. Nonrepudiation3. Authentication4. Confidentiality
Slide 5-20
Symmetric Key Encryption
S d d i di i l kSender and receiver use same digital key to encrypt and decrypt message
Requires different set of keys for each transaction
Strength of encryptionStrength of encryption
Length of binary key used to encrypt data
Advanced Encryption Standard (AES)
Most idel sed s mmetric ke encr ptionMost widely used symmetric key encryption
Uses 128‐, 192‐, and 256‐bit encryption keys
Other standards use keys with up to 2,048 bitsSlide 5-21
Public Key Encryption
U h i ll l d di i l kUses two mathematically related digital keys
1. Public key (widely disseminated)
2. Private key (kept secret by owner)
h k d d dBoth keys used to encrypt and decrypt message
Once key used to encrypt message, same key y yp g , ycannot be used to decrypt message
Sender uses recipient’s public key to encryptSender uses recipient s public key to encrypt message; recipient uses his/her private key to decrypt itdecrypt it
Slide 5-22
P bli K C t h A Si l CPublic Key Cryptography—A Simple Case
Figure 5.8, Page 290
Slide 5-23
Public Key Encryption Using Digital Signatures and Hash Digests
Hash function:Mathematical algorithm that produces fixed‐length number calledMathematical algorithm that produces fixed length number called message or hash digest
Hash digest of message sent to recipient along with g g p gmessage to verify integrityHash digest and message encrypted with recipient’sHash digest and message encrypted with recipient s public keyEntire cipher text then encrypted with recipient’sEntire cipher text then encrypted with recipient s private key—creating digital signature—for authenticity nonrepudiationauthenticity, nonrepudiation
Slide 5-24
P bli K C t h ith Di it l Si tPublic Key Cryptography with Digital Signatures
Figure 5.9, Page 291
Slide 5-25
Digital Envelopes
Addresses weaknesses of:Public key encryption
Computationally slow, decreased transmission speed, increased processing time
Symmetric key encryptionInsecure transmission lines
Uses symmetric key encryption to encrypt document
Uses public key encryption to encrypt and send symmetric key
Slide 5-26
Creating a Digital Envelope
Figure 5.10, Page 293
Slide 5-27
Digital Certificates and Public Key Infrastructure (PKI)
Digital certificate includes:Name of subject/companyName of subject/companySubject’s public keyDigital certificate serial numberDigital certificate serial numberExpiration date, issuance dateDigital signature of certification authority (trusted third g g y (party institution) that issues certificate
Public Key Infrastructure (PKI):Public Key Infrastructure (PKI): CAs and digital certificate procedures that are accepted by all partiesp
Slide 5-28
Digital Certificates and Certification Authorities
Figure 5.11, Page 294
Slide 5-29
Limits to Encryption Solutions
Doesn’t protect storage of private keyPKI not effective against insiders, employeesg , p yProtection of private keys by individuals may be haphazardhaphazard
No guarantee that verifying computer of h t imerchant is secure
CAs are unregulated, self‐selecting g gorganizations
Slide 5-30
Insight on SocietyInsight on Society
In Pursuit of E-mail SecurityClass DiscussionClass Discussion
What are some of the current risks and problems with pusing e‐mail?
What are some of the technology solutions that haveWhat are some of the technology solutions that have been developed?
A th l ti tibl ith d l ?Are these solutions compatible with modern law?
Consider the benefits of a thorough business record retention policy. Do you agree that these benefits are worth giving up some control of your e‐mail?
Slide 5-31
Securing Channels of Communication
k ( )Secure Sockets Layer (SSL): Establishes a secure, negotiated client‐server session i hi h URL f t d d t l ithin which URL of requested document, along with contents, is encrypted
S‐HTTP: Provides a secure message‐oriented communications
l d i d f i j i i h HTTPprotocol designed for use in conjunction with HTTP
Virtual Private Network (VPN): ( )Allows remote users to securely access internal network via the Internet, using Point‐to‐Point
l l (Tunneling Protocol (PPTP)
Slide 5-32
Secure Negotiated Sessions Using SSL
Figure 5.12, Page 298
Slide 5-33
Protecting Networks
i llFirewallHardware or software that filters packetspPrevents some packets from entering the network based on security policynetwork based on security policyTwo main methods:
P k fil1. Packet filters
2. Application gateways
Proxy servers (proxies)Software servers that handle all communicationsSoftware servers that handle all communications originating from or being sent to the Internet
Slide 5-34
Firewalls and Proxy Servers
Figure 5.13, Page 301
Slide 5-35
Protecting Servers and Clients
Operating system security enhancements
U d t hUpgrades, patches
i i fAnti‐virus software
Easiest and least expensive way to preventEasiest and least expensive way to prevent threats to system integrity
Requires daily updates
Slide 5-36
Management Policies, Business Procedures, and Public Laws,
U.S. firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in 2009)services ($120 billion in 2009)
Managing risk includes
Technology
Effective management policies
Public laws and active enforcementPublic laws and active enforcement
Slide 5-37
A Security Plan: Management Policies
Risk assessment
Security policySecurity policy
Implementation planSecurity organization
Access controlsAccess controls
Authentication procedures, including biometrics
Authorization policies, authorization management systems
Security auditSecurity audit
Slide 5-38
Developing an E-commerce Security Plan
Figure 5.14, Page 303
Slide 5-39
Insight on TechnologyInsight on Technology
Securing Your Information: Cleversafe Hippie StorageCleversafe Hippie Storage
Class Discussion
What is LOCKSS? What are the advantages and disadvantages to LOCKSS?
How is Cleversafe’s storage method different? H d it k?How does it work?
Why is it accurate to say that Cleversafe’s y ymethod is “green” or “hippie storage”?
Slide 5-40
The Role of Laws and Public Policy
L h i h i i l f id if iLaws that give authorities tools for identifying, tracing, prosecuting cybercriminals:
N ti l I f ti I f t t P t ti A t f 1996National Information Infrastructure Protection Act of 1996USA Patriot ActHomeland Security Acty
Private and private–public cooperationCERT Coordination CenterC Coo d at o Ce teUS‐CERT
Government policies and controls on encryptionGovernment policies and controls on encryption softwareOECD guidelinesOECD guidelines
Slide 5-41
Types of Payment Systems
CashMost common form of payment in terms of number of transactionstransactionsInstantly convertible into other forms of value without intermediation
Checking transferSecond most common payment form in the United StatesSecond most common payment form in the United States in terms of number of transactions
Credit cardCredit cardCredit card associationsIssuing banksgProcessing centers
Slide 5-42
Types of Payment Systems
Stored ValueFunds deposited into account, from which funds are paid Funds deposited into account, from which funds are paidout or withdrawn as needed, e.g., debit cards, gift certificates
Peer‐to‐peer payment systems
Accumulating BalanceAccumulating BalanceAccounts that accumulate expenditures and to which
k dconsumers make period payments
E.g., utility, phone, American Express accounts
Slide 5-43
Table 5.6, Page 312Source: Adapted from MacKie‐Mason and White, 1996.
Slide 5-44
E-commerce Payment Systems
Credit cards55% of online payments in 200955% of online payments in 2009
Debit cards28% of online payments in 2009
Limitations of online credit card paymentLimitations of online credit card paymentSecurityCCostSocial equity
Slide 5-45
How an Online Credit Transaction Works
Figure 5.16, Page 315
Slide 5-46
E-commerce Payment Systems
Digital walletsEmulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchant
l ff l i f il dEarly efforts to popularize failed
Newest effort: Google Checkout
Digital cashValue storage and exchange using tokensValue storage and exchange using tokens
Most early examples have disappeared; protocols and practices too complex
Slide 5-47
E-commerce Payment Systems
li d lOnline stored value systemsBased on value stored in a consumer’s bank, checking, or
dit d tcredit card accountPayPal, smart cards
Digital accumulated balance paymentUsers accumulate a debit balance for which they are billed yat the end of the month
Digital checking:Digital checking:Extends functionality of existing checking accounts for use onlineonline
Slide 5-48
Wireless Payment Systems
Use of mobile handsets as payment devices well‐established in Europe, Japan, South Korea
Japanese mobile payment systemsE money (stored value)E‐money (stored value)
Mobile debit cards
Mobile credit cards
Not as well established yet in the United StatesyMajority of purchases are digital content for use on cell phonephone
Slide 5-49
Insight on BusinessInsight on Business
Mobile Payment’s Future: Wavepayme, TextpaymeWavepayme, Textpayme
Group Discussion
What technologies make mobile payment more feasible now than in the past?Describe some new experiments that are helping to develop mobile payment systemshelping to develop mobile payment systems.How has PayPal responded?Why haven’t mobile payment systems grown faster? What factors will spur their growth?faster? What factors will spur their growth?
Slide 5-50
Electronic Billing Presentment and Payment (EBPP)y ( )
Online payment systems for monthly bills
40% + of households in 2009 used some EBPP; expected to grow significantlyEBPP; expected to grow significantly
Two competing EBPP business models:1. Biller‐direct (dominant model)2. Consolidator. Consolidator
Both models are supported by EBPP i f t t idinfrastructure providers
Slide 5-51