e security e payment
TRANSCRIPT
-
8/12/2019 E Security E Payment
1/70
1
E- Security & E-Payment
S.P.Sabnis
Don Bosco Institute of Technology
-
8/12/2019 E Security E Payment
2/70
2
E-Security Any business Traditional BAM, a brink & click or a
pure E business, needs to be concerned aboutsecurity.
Internet being a public network any private
network connected to internet is exposed topotential threats from anywhere on the publicnetwork.
In the physical world, crime often leavesevidence such as finger prints. Similarly cybercrime also leaves physical electronic evidence,but unless good security measures are taken, itmay be difficult to trace the source of cyber
crime.
-
8/12/2019 E Security E Payment
3/70
3
Goals of security
Integrity of the data sentand received
Confidentiality of data so
that it is not accessibleto others
The data ought to beavailable to the people
for whom it is meant.
Confidentiality
Integrity Availability
-
8/12/2019 E Security E Payment
4/70
4
Violations of security
1. Interception: Intercept the data with theintent of spying on it.
The middle man just listening to yourcommunication. Imagine someone listening tothe National secrets.
-
8/12/2019 E Security E Payment
5/70
5
2. Interruption: Interrupt the data and cut it offas shown.
Receiving the messages and disallowing thereceiver to receive them. The sender will believe,that the receiver has received the message butthe receiver has not received it. (Suppose youwant to fire a missile, but the missile software isnot receiving your commands, and worst is thatyou think missile is fired :)
-
8/12/2019 E Security E Payment
6/70
6
3. Modification:Interrupt the data and modify itand send a different data to the receiver asshown.
The middle man receives the message, modifiesit and then send to the actual receiver.(Imagine if the target of missile is changed toyour country itself)
-
8/12/2019 E Security E Payment
7/70
7
4. Fabrication: Fabricate fake data and send thenew data to receiver as shown.
The middle man will just fabricate a newmessage and will send it to the receiver. Thereceiver will believe that the message camefrom the sender. (Imagine Missile being fired to
your friendly nations :)
-
8/12/2019 E Security E Payment
8/70
8
General security issues Connection to the internet Private computer
networks are at risk from potential threats fromanywhere on the public internet network.
Unknown risks New security holes andmethods of attacking networks are beingdiscovered with alarming frequency
Customer privacy and security of customerinformationNot only steps are required toprotect the privacy of customer information, butalso customers must be made aware of those
steps and have confidence in them. Security consciousness Management and
employees must understand the importance ofsecurity policies and procedures.
-
8/12/2019 E Security E Payment
9/70
9
Network and website security risks
An e-business must protect itself againstunauthorised access to its computernetwork, denial of service trafficoverloads, and intrusion of destructive
viruses.
Malicious hackers or crackers, gain accessto steal valuable information such ascredit card numbers, attempt to disruptservice or cause any other damage.
-
8/12/2019 E Security E Payment
10/70
10
Denial of service attacks
A DoS is an attack on a network that is designedto disable the network by flooding it with uselesstraffic or activity. A distributed denial of serviceor DDoS, attack uses multiple computers tolaunch a DoS attack. While DoS attack does notdo any technical damage, it can do a substantial
damage to an e-business, as every lost secondmay result in loss of revenue.
The attacker first breaks into thousands ofinsecure computers on the internet and install an
attack program. Then co-ordinates them all toattack the target simultaneously. The traditionaldefenses do not work against the attack and thesystem crashes.
-
8/12/2019 E Security E Payment
11/70
11
The DoS attacks do not affect thedata on the website. They cannotsteal credit card numbers orproprietory information. Neither theycan transfer money out of bank
accounts. Still they are very serious. For most big corporations the biggest
risk of security breach is loss ofincome or loss of reputation, either
of which is achieved by aconspicuous DoS attack
-
8/12/2019 E Security E Payment
12/70
12
Viruses Viruses are most common security risks faced by
e-businesses. Virus is a small program thatinserts itself into other program files therebyinfecting these files. The virus spreads wheninfected program is executed, which then infectsother programs.
The consequences of virus attack can be
Inability to boot
Deletion of file
Deletion of data on hard disc Inability to create files
Inability to save files
-
8/12/2019 E Security E Payment
13/70
Logic Bomb : is a virus which is triggered by anevent, such as a combination of particular day &date
Trojanhorse:is a special type of virus thatemulates a benign application. It appears to dosomething useful but actually destroys files orcreates a back door entry to give access to an
intruder. Trojan horse may come as spam e-mailor through program download.
Worm:A worm replaces a document or anapplication with its own code & then copies itself.
Macro virus:It infects a MS word or Excel macro
(short program). It gets introducedinto acomputer system as a part of a word or excel filereceived through e-mail. Opening the mail or filetriggers the macro virus.
-
8/12/2019 E Security E Payment
14/70
E-Business Risk Management Issues
For e-business e-security issues are business issues
and not just a technology issue. Therefore e-businesses must consider the direct financialimpact of such risks e.g.
1. Business interruptions caused by website
defacement or Denial of Service attacks2. Litigation and settlement costs over employees
inappropriate use of e-mail and internet
3. Product or service claims against items
advertised and sold via a website4. Web related copyright, trademark and patent
infringement lawsuits &
5. Natural or Weather related disasters.
14
-
8/12/2019 E Security E Payment
15/70
E-business risk management program
An effective risk management program shall
include following
A. Network & Website security and intruderdetection programs.
B. Antivirus protectionC. Firewalls
D. Sound security policies and procedures
E. Employee education
F. Transfer of risk via insurance.
15
-
8/12/2019 E Security E Payment
16/70
Firewall
An internet firewall is a system that enforces a
security policy between an organisations networkand the internet. The firewall decides which internal services may
be accessed from outside (internet) and whichoutside services can be accessed from inside.
All the traffic coming into & going out fromcompanys network must pass through firewall.Firewall implements a security policy. Thesecurity policy is informed to all the users. Itdefines responsibilities of users, defines networkaccess, local & remote user authentication etc.
Companys
Network Internet
FIREW
ALL
-
8/12/2019 E Security E Payment
17/70
The sender sends data in the form ofpackets. Firewall checks the packet,applies the security policy and if thepacket passes the criteria laid by policy,the packet will be received by thereceiver.
A fire wall can be a router, a PC, acollection of PCs (called hosts). It createsa perimeter defense designed to protectthe information resources of theorganisation.
-
8/12/2019 E Security E Payment
18/70
-
8/12/2019 E Security E Payment
19/70
Controlled access to site systems:
Fire wall also provides the ability to
control access to site systems. E.g.some hosts can be made reachable fromoutside, whereas others can beeffectively sealed off from unwantedaccess.
Every user of network is authenticatedevery time. Only mail servers will be
open to everyone.
-
8/12/2019 E Security E Payment
20/70
Concentrated Security
Firewall can be less expensive by locatingadditional security software on firewall systemrather than distributing on many hosts. Onetime password system and other add onauthentication software could be located at thefirewall.
Enhanced Privacy Using firewall, some sites wish to block
services like fingure and Domain name service,which displays information about users. These
could leak information to attackers which maybe used maliciously.
-
8/12/2019 E Security E Payment
21/70
Need for usage statistics on Network
If all access to & from the internet passes
through firewall, the firewall can log accessesand provide valuable statistics about networkusage
With appropriate alarms firewall can alsoprovide details of suspicious activity thatoccurs, whether the firewall and network beingprobed or attacked.
Policy Enforcement:Firewall provides themeans for implementing and enforcing a networkaccess policy. Administrator can decide the wayuser access is controlled.
-
8/12/2019 E Security E Payment
22/70
Components of a Firewall
The primary aspects of a firewall are
1. Network policy
2. Advanced authentication mechanism3. Packet filtering
4. Application gateways
-
8/12/2019 E Security E Payment
23/70
Network Policy
There are two levels of policy
The higher level policy is an issue specificnetwork access policy that defines thoseservices which will be allowed or explicitlydenied from the restricted network. Also howthese services will be used and conditions for
exceptions to the policy
The lower level policy describes how firewallwill actually go about restricting the access
and filtering the services that are defined inthe higher level policy.
-
8/12/2019 E Security E Payment
24/70
Service Access Policy
The idea is to provide balance between protectingnetwork from known risks, while still providingusers access to network resources.
Typical policy may be to allow no access to asite from the internet, but allow access from
the site to the internet. Another typical policy would be to allow limited
access to internet such as information serversand e-mail servers.
Firewall often implement service access
policies that allow some access from theinternet to selected internet hosts, but it willbe granted only if necessary with advancedauthentication.
-
8/12/2019 E Security E Payment
25/70
Firewall design policy Firewall design policy defines the rules used to
implement the service access policy. Firewallsgenerally work on any one of the two basic designpolicies
1) Permit any service unless it is expressly denied.
2) Deny any service unless it is expresslypermitted.
The first policy allows all services to pass into the
site by default, with the exception of a few
disallowed services.The second policy denies all services by default ,
but passes those which are allowed. This policy is used
for information security
-
8/12/2019 E Security E Payment
26/70
Advanced Authentication One of the reasons for security lapses on the
identity of internet users has been theweakness of traditional password. Intruders canmonitor the net for passwords that aretransmitted and thus traditional passwordshave become obsolete in securedenvironments.
Advance authentication measures such assmartcards, authentication tokens, biometricsand software based mechanisms are designedto counter the weaknesses of traditional
passwords.
The passwords generated by advancedauthentication device cannot be reused by anattacker who has monitored a connection.
-
8/12/2019 E Security E Payment
27/70
Packet Filtering
IP packet filtering is done using a packetfiltering router. It usually filters IP packetsbased on some or all of the following fields Source IP address
Destination IP address
TCP/UDP source port
TCP/UDP destination port
Filtering can be used in a variety of waysto block connections from or to specifichosts or networks, and to blockconnections to specific ports
-
8/12/2019 E Security E Payment
28/70
Application Gateways
To counter some of the weaknessassociated with packet filtering routers,firewalls need to use software applicationsto forward and filter connections forservices such as Telnet and FTP.
Such an application is referred as a proxyservice. The host running the proxyservice is called as applications gateway.
A combination of packet filter andapplication gateway provides a higherlevel of security
-
8/12/2019 E Security E Payment
29/70
Benefits of Internet Firewall
Helps administrator to find out & keep awayhackers, crackers & spies It is a convenient point where internet
security can be monitored and alarmsgenerated
Internet firewall is the perfect point to auditor log internet usage.
It is point where you can deploy WWW &FTP servers.
It also provides a single point of failure,thereby if internet fails the companysprivate network still continue to operate
-
8/12/2019 E Security E Payment
30/70
E-Payment Money is a social phenomenon, with its roots in
the barter economy. The payment systems haveevolved out of barter economy. The developmentof money as medium of exchange empoweredbuyers & sellers. The buyers and sellers
recognised that doing business becomes muchmore efficient if everyone used a commonlyaccepted form of payment.
The notion of money continues to evolve, driven
by marketplace preference for increasedconvenience and efficiency, and decreasing riskand costs. (e.g. development of card payment).
30
-
8/12/2019 E Security E Payment
31/70
Digital payment requirements
Acceptability: Payment infrastructure
needs to be widely accepted. Anonymity: Identity of customers should
be protected.
Convertibility: Digital money should beconvertible to any type of fund.
Efficiency: Cost per transaction should benear to zero
Integration: Interfaces should be createdto support the existing system
31
-
8/12/2019 E Security E Payment
32/70
Scalability: Infrastructure should notbreakdown if new customers andmerchants join.
Security: Should allow financialtransactions over open networks
Reliability: Should avoid single point offailure.
Usability: Payment should be as easy as inthe real world.
32
-
8/12/2019 E Security E Payment
33/70
Online Payment Categories
Online payments can be broadly classified into
three categories as per table below
33
Category Description
Micropayments Transaction of Value less than 5 Euros or
Dollars. Transaction costs are nearly zero.
ConsumerPayments
Transaction value between 5 & 500 Euros orDollars. Payments are executed by credit card
transactions
BusinessPayments
Transaction value more than 500 Euros orDollars. Debit cards or invoices areappropriate solutions in this system
-
8/12/2019 E Security E Payment
34/70
Digital Token Based E-Payment System
Western Union Charge Cards 1914
Bank of America card with revolving credit1958
Visa card 1970 Debit card Access funds in account using
electronic means
Now you can migrate the electronicpayments to wireless device such asmobile phone
34
-
8/12/2019 E Security E Payment
35/70
Benefits to buyers
Convenience of global acceptance, a widerange of payment options.
Enhanced security and reduced liability for
stolen or misused card Consumer protection through an
established system of dispute resolution
Accessibility to immediate credit
35
-
8/12/2019 E Security E Payment
36/70
Benefits to sellers Speed and security of the transaction processing
chain from verification and authorisation toclearing and settlement
Freedom from more costly labour, materials andaccounting services that are required in paper
based processing Better management of cash flow, inventory and
financial planning due to swift bank payment.
Incremental purchase power on the part of
consumer Cost & risk savings by eliminating the need to run
an in house credit facility.
36
-
8/12/2019 E Security E Payment
37/70
Credit Cards as E Payment System
Why is it popular?
1. Payment is simple, anywhere & anycurrency
2. Transaction costs are hidden fromuser. (Paid by sellers and ultimatelyrecovered from all consumers andnot just credit card users)
3. The credit issuing company sharesthe transaction risk
37
-
8/12/2019 E Security E Payment
38/70
Disadvantages of credit cards
High Transaction cost, Not suitablefor small value orders
Cannot be used by an individual formaking payment to other individual.
Security expenses are high
Users fear about security issues dueto unfamiliarity
38
-
8/12/2019 E Security E Payment
39/70
E-Payments in India E-payment system in India is evolving
RBI started promoting automation in bankingfrom 1990 onwards
RBI has setup electronic clearing service (ECS)which was successful despite the varying level of
automation levels in Indian Banks It has also built the national electronic fund
transfer (EFT)
These systems will in turn promote credit and
debit card use in India RBI is also rolling out real time gross settlement
service (RTGS), with this Indian Banks andbusinesses will be better able to realise value of
e-payments to their operations 39
-
8/12/2019 E Security E Payment
40/70
Encryption and Credit Cards the Encryption is done when credit card information is
entered into a browser or other e-commerce device
and sent securely over the net from buyer to seller asan encrypted message.However this has to be furthersecured by following sequence of steps.
1. A customer presents his credit card information along
with an authenticity signature.2. The merchant validates the customers identity as the
owner of the card account
3. The merchant relays the credit card chargeinformation and signature to its bank or online credit
card processor
4. The processor party relays the information to thecustomers bank for authorisation
5. The customers bank returns the credit card data,
charge authorisation to the merchant 40
-
8/12/2019 E Security E Payment
41/70
In this scheme, each consumer and each vendorgenerates a public key and a secret key. The public keyis send to the credit card company and put on its public
key server. The secret key is re-encrypted with apassword, and unencrypted version is erased.
Credit card company assumes larger share of risk onboth buyer and seller in transaction. Buyers can
sometimes dispute a charge. While sellers are ensuredthat they will be paid for all the sales.
Most of the time credit card payments are the fastest
However the credit card transactions are not
anonymous and infact the companies compile valuabledata about spending habits.
41
-
8/12/2019 E Security E Payment
42/70
New Payment Systems
These are roughly divided into 2 groups oneusing smart cards and other using internet. Thesesystems augment payment instruments with theuse of networks and electronics, while
maintaining the strength of older system They can be classified as
Cash substitution
Cheque substitution
Credit card substitution
Account transfer substitution systems
42
-
8/12/2019 E Security E Payment
43/70
Smart Cards Smart cards are credit and debit cards and
similar, enhanced with microprocessors,capable of handling more information thanmagnetic strip (almost 80 times). These
cards use methods known as stored valuecard or electronic purse (similar to itz cardbut with m-processor). Units of prepaymentor currency value are electronically stored on
an IC imbedded in these cards
43
-
8/12/2019 E Security E Payment
44/70
Features of Smart Cards
44
Processor cards (and therefore memory too)
Credit card size
With or without contacts.
Cards have an operating system too. The OS provides
A standard way of interchanging information
An interpretation of the commands and data.
Cards must interface to a computer orterminal through a standard card reader.
-
8/12/2019 E Security E Payment
45/70
Smart Card Readers
Dedicated terminals
Usually with a small
screen, keypad, printer,often alsohave biometric devicessuch as thumb printscanner.
Computer based readers
Connect through USB or
COM (Serial) ports
-
8/12/2019 E Security E Payment
46/70
Terminal/PC Card Interaction
The terminal/PC sends commands tothe card (through the serial line).
The card executes the command and
sends back the reply. The terminal/PC cannot directly
access memory of the card
data in the card is protected fromunauthorized access. This is whatmakes the card smart.
-
8/12/2019 E Security E Payment
47/70
Security Mechanisms
Password
Card holders protection
Cryptographic challenge Response
Entity authentication
Biometric information
Persons identification
A combination of one or more
-
8/12/2019 E Security E Payment
48/70
48
Whats Good About Cash? Anonymous- The seller
doesnt care who you are
Difficult to counterfeit(paper, printing methods,lots of new tricks)
Backed by the government
Trusted by everyone(Were all used to it)
A visible representation offunds (you can see whatyouve got)
-
8/12/2019 E Security E Payment
49/70
49
Whats Bad About Cash?
Must be handled/observedby human eyesight orcostly photo-scanner
Fixed denominations -requires making change
Not suitable for use onthe Internet
Notes consume space,must be physically secured
No audit trail
-
8/12/2019 E Security E Payment
50/70
What is E-cash
ECash is a legal form of computer-basedcurrency that can be securely purchasedand withdrawn by credit card, cheque,certified cheques, wire transfer, money
order and Electronic Cheque Processing(ECP).
50
-
8/12/2019 E Security E Payment
51/70
51
-
8/12/2019 E Security E Payment
52/70
52
Why eCash is Like Cash?
A representation of value
Anonymous - The seller doesnt
care who you are
i
-
8/12/2019 E Security E Payment
53/70
-
8/12/2019 E Security E Payment
54/70
E-Cash E Cash must have a monetory value, it
must be backed by either cash (currency),Bank authorised credit, or a bankerscheque
E-Cash must be interoperable (meansexchangeable as a payment)
E-cash must be storable and retrievable.Remote storage and retrieval (i.e usingphone line) will allow users to exchangee-cash.
E-cash should not be easy to copy or
tamper with while being exchanged. 54
-
8/12/2019 E Security E Payment
55/70
E-Cash is based on cryptographic system called digitalsignature. It involves a pair of numeric keys (very largenumbers) that work in tandem, one for locking and other
for unlocking. Message encoded with one numeric keycan be decoded with other key only. The encoding key iskept private (with the bank)and decoding key is madepublic(i.e.buyers and sellers)
Purchasing e-cash involves 2 steps
Establishment of account
Maintaining enough money in the account
Using the account people can deposit or withdraw e-cash.When withdrawal is made the computer calculates the
denominations of currency needed and a random numberis generated using the note numbers of thesedenominations (for blinding) which is sent to the digitalbank. Bank then issues the required denominations in theencrypted message and debits the account
-
8/12/2019 E Security E Payment
56/70
Cheque Payment systems on internet
Magnetic Link Character Recognition(MICR) Using the data printed at thebottom of cheque reader can read and
process cheque electronically CheckFree : Upon customer request, this
service issues an electronic cheque andexecutes settlement between customer &
retailer. This systems does chequeprocessing as well as issuance.
56
-
8/12/2019 E Security E Payment
57/70
Electronic Cheque : In this system, aconsumer possesses an electronic cheque
book on PC Memory card called PCMCIAcard. As needed cheques are writtenelectronically from an e-chequebook onthe card. Then they are send over internet
to the retailer, who in turn sends thecheque to customers bank. Settlement isdone through financial network toappropriate place such as retailers bank
account.
57
Ri k & E P t S t
-
8/12/2019 E Security E Payment
58/70
Risk & E-Payment System
There are three major risks in e-payment
1. Data Protection Abuse of data related to users.2. Data Reliability The authentication of parties.
3. Taxation Issues related to tax
-
8/12/2019 E Security E Payment
59/70
-
8/12/2019 E Security E Payment
60/70
Risks from mistakes & disputesOnceinformation is captured electronically it is easy &inexpensive to keep it stored.
Given intangible nature of electronic transactionsthe dispute resolution solely relies on records.Features of such records include
Permanent Storage
Accessibility & traceability
A payment system database
Data Transfer to Payment maker / bank /monetary authorities
Managing information privacy: All the recordsin e-payment system can be linked as they are ina single dossier. The e-payment system mustensure and maintain privacy.
i di i k d k
-
8/12/2019 E Security E Payment
61/70
Managing Credit Risk: Credit risk is a majorconcern in net settlement system, becausebanks failure to settle its net position could lead
to chain reaction of bank failures. A digital centralbank must guarantee settlement and ensureliquidity of the banks.
Designing E payment system
-
8/12/2019 E Security E Payment
62/70
Designing E-payment system Privacy User expects trustworthiness Security A secure system verifies the identitiy of two
party transactions through user authentication andenforce access control Intuitive Interfaces Payment interface must be easy
to use. Users value convenience more than anything. Database integration Customer may want to access
accounts stored in separate databases. The challenge
before banks is to tie these databases together andallow customers to access.
Brokers Someone to offer goods and services, settleconflicts and facilitate transactions must be in place.
Pricing The new systems for services cost money
but to attract customer using them subsidies may benecessary to offer. Standards Standards enable interoperability, giving
users the ability to buy and receive information,regardles of which bank is managing their money.
Major barrier to the growth of electronic commerce
-
8/12/2019 E Security E Payment
63/70
Major barrier to the growth of electronic commerceis fear of lack of security.
Digital signatures provide data security and
integrity. This eliminates the fear of lack ofsecurity.
Digital signatures are often used to implementelectronic signatures, a broader term that refers to
any electronic data that carries the intent of asignature, however not all electronic signaturesuse digital signatures.
Digital signatures employ a type of asymmetric
cryptography. Thus in case of messages sentthrough a non secure channel, a properlyimplemented digital signature gives the receiver areason to believe that the message was sent bythe claimed sender.
63
-
8/12/2019 E Security E Payment
64/70
64
H di it l t h l k ?
-
8/12/2019 E Security E Payment
65/70
How digital technology works?
Digital Signature Creation
Digital Signature Verification Signer Authentication
Message Authentication
Assurance of genuinity of data in document
The sender uses his private key to compute thedigital signature. For this a one way hashingalgorithm is used to calculate a message digest.
Senders private key is used to encrypt themessage digest. The encrypted message digest iscalled as digital signature.
i i f h b f
-
8/12/2019 E Security E Payment
66/70
A signature is not a part of the substance oftransaction, rather it represents the integrity.
As organizations move away from paperdocuments with ink signatures or authenticitystamps, digital signatures can provide addedassurances of the evidence to origin, identity,and status of an electronic document as well asacknowledging informed consent and approval bya signatory.
e.g. Government publishes electronic versions of
the budget, laws, etc. with digital signatures.Universities in US are publishing electronicstudent transcripts with digital signatures.
Signature and the law
-
8/12/2019 E Security E Payment
67/70
Signature and the law Evidence: A signature authenticates the writing by
identifying the signer with the signed document
Legality: The act of signing a document calls to the signersattention, the legal significance of the signers act. Approval: Signature expresses the signers approval or
authorisation of the writing, or a claim that it has legalvalidity
Efficiency and logistics: A signature on a writtendocument often imparts a sense of clarity and finality to thetransaction and reduces the need to inquire beyond face of adocument.
Authenticity: To achieve the basic purpose of signture, itmust have following attributes Signer authentication i.e. a signature should indicate
who signed a document. Document authentication A signature should identify
what is signed , making it impracticable to falsify or alterthe mater or the signature without detection.
Affirmation : Affixing the signature serves the ceremonialand approval function of a signature and establishes legality.
-
8/12/2019 E Security E Payment
68/70
Indian Websites that use digital signature
Shopping & Auction sites Sify Mall
Bazee
Fabmall
Rediff
Booking & Reservations Major Airline
Railways
Service companies Celluar Providers
ISPs
Net Banking ICICI, HDFC
Secure e-payment system process
-
8/12/2019 E Security E Payment
69/70
Secure e payment system process Secured transaction process system is critical to e-
commerce. There are two common standards used forsecure e-payments SSL & SET
SSL Secured Socket Layer is a transport layer securityprotocol. SSL provides a simple encrypted connectionbetween the clients computer and merchants server overnet. It also provides authentication for merchants serverwith its digital certificate from certifying authority.
SET It is a messaging protocol designed by VISA andMasterCard for securing credit card transactions over opennetworks.
Three features of SET are
1. All sensitive information sent within three parties are
encrypted2. All three parties are required to authenticate themselveswith certificates
3. The members never sees the customers card number inplain text.
-
8/12/2019 E Security E Payment
70/70
Thank You !