chapter 5

7/17/2019 Chapter 5

1/43

7.1 @ Lalit Sharma, JIM

Online Security andPayment Systems

7/17/2019 Chapter 5

2/43


The E-commerce Security Environment

7/17/2019 Chapter 5

3/43


Customer and Merchant Perspectives on the Different

Dimensions of E-commerce Security

7/17/2019 Chapter 5

4/43


Security Threats in the E-commerce Environment

Three key points of vulnerability: Client

Server Communications channel

7/17/2019 Chapter 5

5/43


! Typical E-commerce Transaction

7/17/2019 Chapter 5

6/43


"ulnerable Points in an E-commerce Environment

7/17/2019 Chapter 5

7/437.7 @ Lalit Sharma, JIM

Most Common Security Threats in the

E-commerce Environment

Malicious code #viruses$ %orms$ Tro&ans'

(n%anted pro)rams #spy%are$ bro%ser parasites'

Phishin)*identity theft

+ackin) and cybervandalism

Credit card fraud*theft

Spoofin) #pharmin)'*spam #&unk' ,eb sites

DoS and dDoS attacks Sniffin)

nsider attacks

Poorly desi)ned server and client soft%are

7/17/2019 Chapter 5


Malicious Code

"iruses: +ave ability to replicate and spread to otherfiles. most also deliver a /payload0 of some sort#destructive or beni)n'. include macro viruses$ file-infectin) viruses$ and script viruses

,orms: Desi)ned to spread from computer tocomputer

Tro&an horse: !ppears to be beni)n$ but then doessomethin) other than e1pected

2ots: Can be covertly installed on computer.responds to e1ternal commands sent by the attacker

7/17/2019 Chapter 5


(n%anted Pro)rams

nstalled %ithout the user3s informed

consent

2ro%ser parasites: Can monitor and chan)e settin)s ofa user3s bro%ser

!d%are: Calls for un%anted pop-up ads

Spy%are: Can be used to obtain information$ such as a

user3s keystrokes$ e-mail$ Ms$ etc4

7/17/2019 Chapter 5


Phishin) and dentity Theft

!ny deceptive$ online attempt by a third party

to obtain confidential information for financial

)ain Most popular type: e-mail scam letter

5ne of fastest )ro%in) forms of e-commerce crime

7/17/2019 Chapter 5


+ackin) and Cybervandalism

+acker: ndividual %ho intends to )ainunauthori6ed access to computer systems

Cracker: +acker %ith criminal intent #t%oterms often used interchan)eably'

Cybervandalism: ntentionally disruptin)$

defacin) or destroyin) a ,eb site

7/17/2019 Chapter 5


Credit Card 7raud

7ear that credit card information %ill be

stolen deters online purchases

+ackers tar)et credit card files and othercustomer information files on merchant

servers. use stolen data to establish credit

under false identity

5ne solution: 8e% identity verification

mechanisms

7/17/2019 Chapter 5


Spoofin) #Pharmin)' and Spam #9unk' ,eb

Sites

Spoofin) #Pharmin)' Misrepresentin) oneself by usin) fake e-mail addresses

or masueradin) as someone else

Threatens inte)rity of site. authenticity

Spam #9unk' ,eb sites

(se domain names similar to le)itimate one$ redirecttraffic to spammer-redirection domains

7/17/2019 Chapter 5


DoS and DDoS !ttacks

Denial of service #DoS' attack +ackers flood ,eb site %ith useless traffic to inundate and

over%helm net%ork

Distributed denial of service #DDoS' attack +ackers use numerous computers to attack tar)et net%ork

from numerous launch points

7/17/2019 Chapter 5


5ther Security Threats

Sniffin): Type of malicious pro)ram that

monitors information travelin) over a net%ork.

enables hackers to steal proprietary information

from any%here on a net%ork

nsider &obs: Sin)le lar)est financial threat

Poorly desi)ned server and client soft%are:

ncrease in comple1ity of soft%are pro)rams hascontributed to increase is vulnerabilities that

hackers can e1ploit

7/17/2019 Chapter 5


Technolo)y Solutions

Protectin) nternet communications

#encryption'

Securin) channels of communication #SS;$S-+TTP$ "P8s'

Protectin) net%orks #fire%alls'

Protectin) servers and clients

7/17/2019 Chapter 5


Tools !vailable to !chieve Site Security

7/17/2019 Chapter 5


Protectin) nternet Communications:

Encryption

Encryption: Process of transformin) plain te1tor data into cipher te1t that cannot be read byanyone other than the sender and receiver

Purpose: Secure stored information andinformation transmission

Provides:

Messa)e inte)rity8onrepudiation

!uthentication

Confidentiality

7/17/2019 Chapter 5


Symmetric

7/17/2019 Chapter 5

20/43


Public

7/17/2019 Chapter 5

21/43


Public

7/17/2019 Chapter 5

22/43


Public

7/17/2019 Chapter 5

23/43


Public

7/17/2019 Chapter 5

24/43


Securin) Channels of Communication

Secure Sockets ;ayer #SS;': Most common form ofsecurin) channels of communication. used to establish asecure ne)otiated session #client-server session in %hich(=; of reuested document$ alon) %ith contents$ is

encrypted' S-+TTP: !lternative method. provides a secure messa)e-

oriented communications protocol desi)ned for use incon&unction %ith +TTP

"irtual Private 8et%orks #"P8s': !llo% remote users tosecurely access internal net%orks via the nternet$ usin)Point-to-Point Tunnelin) Protocol #PPTP'

7/17/2019 Chapter 5

25/43


Protectin) 8et%orks: 7ire%alls and Pro1y

Servers

7ire%all: +ard%are or soft%are filterscommunications packets. prevents some packets

from enterin) the net%ork based on a securitypolicy

7ire%all methods include: Packet filters

!pplication )ate%ays Pro1y servers: Soft%are servers that handle all

communications ori)inatin) from or bein) sent tothe nternet

7/17/2019 Chapter 5

26/43


7ire%alls and Pro1y Servers

7/17/2019 Chapter 5

27/43


Protectin) Servers and Clients

5peratin) system controls: !uthentication

and access control mechanisms

!nti-virus soft%are: Easiest and leaste1pensive %ay to prevent threats to system

inte)rity

7/17/2019 Chapter 5

28/43


Developin) an E-commerce Security Plan

7/17/2019 Chapter 5

29/43


Types of Payment Systems

Cash

Cheue Transfer

Credit Card Stored "alue

!ccumulatin) 2alance

7/17/2019 Chapter 5

30/43


Cash

;e)al tender

Most common form of payment in terms of number oftransactions

nstantly convertible into other forms of value %ithoutintermediation

Portable$ reuires no authentication

/7ree0 #no transaction fee'$ anonymous$ lo% co)nitive

demands ;imitations: easily stolen$ limited to smallertransaction$ does not provide any float

7/17/2019 Chapter 5

31/43


Checkin) Transfer

7unds transferred directly via si)ned draft*cheue from a

consumer3s account to merchant* other individual

Most common form of payment in terms of amount spent

Can be used for small and lar)e transactions Some float

8ot anonymous$ reuires third-party intervention #banks'

ntroduces security risks for merchants #for)eries$ stopped

payments'$ so authentication typically reuired

7/17/2019 Chapter 5

32/43


Credit Card

=epresents account that e1tends credit toconsumers. allo%s consumers to make payments tomultiple vendors at one time

Credit card associations: 8onprofit associations#"isa$ MasterCard' that set standards for issuin)banks

ssuin) banks: ssue cards and process transactions

Processin) centers #clearin)houses': +andleverification of accounts and balances

7/17/2019 Chapter 5

33/43


Stored "alue

!ccounts created by depositin) funds into

an account and from %hich funds are paid

out or %ithdra%n as needed E1amples: Debit cards$ )ift certificates$ prepaidcards$ smart cards

Peer-to-peer payment systems such as PayPal a

variation

7/17/2019 Chapter 5

34/43


!ccumulatin) 2alance

!ccounts that accumulate e1penditures and

to %hich consumers make period payments E1amples: (tility$ phone$ !merican E1press

accounts

7/17/2019 Chapter 5

35/43


Dimensions of Payment Systems

7/17/2019 Chapter 5

36/43


E-commerce Payment Systems

Credit cards are dominant form of online

payment$ accountin) for around FBG of online

payments in ?>

5ther e-commerce payment systems: Di)ital cash

5nline stored value systems

Di)ital accumulatin) balance payment systems Di)ital credit accounts

Di)ital checkin)

7/17/2019 Chapter 5

37/43


+o% an 5nline Credit Transaction ,orks

7/17/2019 Chapter 5

38/43


;imitations of 5nline Credit Card Payment

Systems

Security: neither merchant nor consumer

can be fully authenticated

Cost: for merchants$ around H4BG of

purchase price plus transaction fee of ?

H cents per transaction

Social euity: many people do not have

access to credit cards

7/17/2019 Chapter 5

39/43


Di)ital Cash

5ne of the first forms of alternative payment

systems

8ot really /cash0: rather$ form of value stora)e

and value e1chan)e that has limited

convertibility into other forms of value$ and

reuires intermediaries to convert

Most early e1amples have disappeared. conceptssurvive as part of P?P payment systems

7/17/2019 Chapter 5

40/43


5nline Stored "alue Systems

Permit consumers to make instant$ onlinepayments to merchants and other individualsbased on value stored in an online account

=ely on value stored in a consumer3s bank$checkin)$ or credit card account

PayPal most successful system

Smart cards another e1ample

7/17/2019 Chapter 5

41/43


Di)ital !ccumulatin) 2alance Payment

Systems

!llo%s users to make micropayments and

purchases on the ,eb$ accumulatin) a debit

balance for %hich they are billed at the end

of the month

E1amples: "alista3s PaymentsPlus$

Clickshare

7/17/2019 Chapter 5

42/43


Di)ital Checkin) Payment Systems

E1tends functionality of e1istin) checkin)

accounts for use as online shoppin) payment

tool

E1ample: Pay2yCheck

7/17/2019 Chapter 5

43/43

,ireless Payment Systems

(se of mobile handsets as payment devices

%ell-established in Europe$ 9apan$ South

chapter 5

Documents