E-Business Security and Online PaymentsPesewa

Presentat ions

Reported Fraud Complaints

How is Security Compromised?

• Inadequate attention paid to security issues• IDENTITY THEFT

(need to take care over release of private details)• Failure to protect private information sent over Internet• Failure to create a “security awareness” environment within the

organization (a Managerial issue)• Malicious Software use: MALWARE

– Viruses– Spyware– Web Bugs– Hacking

• “phishing”• “pharming”

Typical B2C Transaction

Key Security Issues

• Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party

• Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions

• Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet

• Confidentiality: ability to ensure that messages and data are available only to those authorized to view them

• Privacy: ability to control use of information a customer provides about himself or herself to merchant

• Availability: ability to ensure that an e-commerce site continues to function as intended

Security Perspectives

Security Issue Customer View Merchant ViewIntegrity of Data Has the data sent or received been

altered in any way in transit?Has the data on site been altered without authorisation? Is data from customer valid?

Nonrepudiation Can a party to an action laterdeny taking the action?

Can a Customer deny ordering products?

Authenticity Who am I dealing with? How can I be sure they are who they say they are?

What is the REAL identity of the Customer?

Confidentiality Can anyone other than the intended recipient read my messages?

Are messages or confidential data accessible to unauthorised persons?

Privacy Can I control information about myself transmitted to e-commerce merchant?

What use (if any) can be made of personal data collected as part of an e-commerce transaction? Is personal data used inappropriately?

Availability Can I get access to the site? Is the site operational?

Conflict Between Security and Other Issues

• Security vs. ease of use: the more security measures that are added, the more difficult a site is to use, and the slower it becomes

• Security vs. desire of individuals to act anonymously

Security Threats in e-business

• Three key points of vulnerability: Client Server Communications channel

• Most common threats: Malicious code Hacking and cybervandalism Credit card fraud/theft Spoofing Denial of service attacks Sniffing Insider jobs

Explanation of Terms

• Spoofing: Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else

• Denial of service (DoS) attack: Hackers flood Web site with useless traffic to inundate and overwhelm network

• Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target network from numerous launch points

• Sniffing: type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network

• “phishing”: http://www.webopedia.com/TERM/p/phishing.html• “pharming”: http://en.wikipedia.org/wiki/Pharming• Insider jobs: single largest financial threat

Hacking and Cybervandalism

• Hacker: Individual who intends to gain unauthorized access to computer systems

• Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably)

• Cybervandalism: Intentionally disrupting, defacing or destroying a Web site

• Types of hackers include: White hats – Used by corporate security departments

to test their own security measures Black hats – Act with the intention of causing harm Grey hats – Believe they are pursuing some greater

good by breaking in and revealing system flaws

Vulnerable Areas in e-Biz

Credit Card Fraud

• Fear that credit card information will be stolen deters online purchases

• Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity

• One solution: New identity verification mechanisms• Tighter Data Encryption

Merchant Pays (B2C)

• Many security procedures that credit card companies use offline are not applicable online (e.g. face-to-face meeting)

• As a result, credit card companies have shifted most of the risks associated with e-commerce credit card transactions to merchants

• Percentage of Internet transactions charged back to online merchants much higher than for traditional retailers (3-10% online compared to 0-1% offline)

• To protect themselves, merchants can: Refuse to process overseas purchases Insist that credit card and shipping address match Require users to input 3-digit security code printed on back of card Use anti-fraud software

• Credit card company solutions include: Verified by Visa (Visa) SecureCode (MasterCard) Requiring issuing banks to assume a large share of risk and liability

Privacy Protection

– 5 basic principles• Notice/Awareness— Customers must be given notice and be able to

make informed decisions.

• Choice/Consent— Customers must be made aware of their options as to how their personal information may be used. Consent may be granted through ‘opt-Out’ clauses requiring steps.

• Access/Participation— Consumers must be able to access their personal information and challenge the validity of the data.

• Integrity/security— Consumers must be assured that the data is secure and accurate.

• Enforcement/Redress— There must always exist a method of enforcement and remedy. The alternatives are government intervention, legislation for private remedies, or self-regulation.

Encryption

• Encryption: The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver

• Purpose: Secure stored information Secure information transmission

• Provides: Message integrity Nonrepudiation Authentication Confidentiality

Encryption

• Encryption Technology intended to Make Internet Communication SECURE;

• Strong Encryption: 3.09 x 1026 times more difficult to decode than previous exportable technologies!

• Leads to … 128 & 256-bit Encryption Debate -• Industry wants Strong Encryption, to stimulate

growth of e-Business• US Government reluctant to release 256-bit system:– Potential criminal activity– “Hostile” Government use, etc.

Encryption:Principles

• Based on Principles of Cryptography (Ancient Greece)

• Four Basic Principles:1. Plain Text: Original Message (readable format)2. Cipher Text: Encrypted to render it unreadable3. Encryption Algorithm: Mathematical Formulae4. Key: Encryption and Decryption of Message

• Can use Different Algorithms for Encryption• Message remains secure as long as key is unknown• Length of Key Determines Level of Security

Symmetric (Synchronous) Key

• Also known as secret key encryption• Both the sender and receiver use the same digital key to encrypt

and decrypt message• Requires a different set of keys for each transaction• Data Encryption Standard (DES): Most widely used symmetric key

encryption today; uses 56-bit encryption key; other types use 128-bit keys up through 2048 bits

Encryption: Public and Private Keys

MessageText

Private Key Private Key

MessageText

EncryptedText

Encryption Decryption

Synchronous (Private Key) Encryption

MessageText

MessageText

EncryptedText

Encryption Decryption

Public Key of Sender

Asymmetrical (Public Key) Encryption

Private Key of Recipient

Encryption: Issues• Private Key Encryption:

– Much Internet Traffic - between unknown people and machines– Web Servers face large amounts of traffic: Private Key Numbers might be

cracked, leaked or stolen;• Led to Development of Public Key Encryption:

– Pair of Keys: Public and Private– Public Key available to anyone wishing to send encrypted data– Data can only be decrypted with Private Key

(no need to agree on keys in advance of data transfer)– Only 3 or 4 (published) Public Key Encryption Algorithms

Public Key Encryption

• Public key cryptography solves symmetric key encryption problem of having to exchange secret key

• Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner)

• Both keys are used to encrypt and decrypt message• Once key is used to encrypt message, same key cannot be

used to decrypt message• For example, sender uses recipient’s public key to encrypt

message; recipient uses his/her private key to decrypt it

Simple Public Key Encryption

Using Signatures and Hash Key

• Application of hash function (mathematical algorithm) by sender prior to encryption produces hash digest that recipient can use to verify integrity of data

• Double encryption (digital envelope) with sender’s private key (digital signature) helps ensure authenticity and nonrepudiation

Public Key with Digital Signatures

Digital Envelopes

• Addresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure)

• Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key

Public Key Encryption + Envelope

Digital Certificates and PKI

• Digital certificate: Digital document that includes: Name of subject or company Subject’s public key Digital certificate serial number Expiration date Issuance date Digital signature of certification authority (trusted third

party (institution) that issues certificate Other identifying information

• Public Key Infrastructure (PKI): refers to the Certification Authorities (CAs) and digital certificate procedures that are accepted by all parties

Digital Certificates and CAs

Limits to Encryption

• PKI applies mainly to protecting messages in transit

• PKI is not effective against insiders• Protection of private keys by individuals may

be haphazard• No guarantee that verifying computer of

merchant is secure• CAs are unregulated, self-selecting organizations

Quantum Cryptography

• Existing encryption systems are subject to failure as computers become more powerful

• Scientists at Northwestern University have developed a high-speed quantum cryptography method

• Uses lasers and optical technology and a form of secret (symmetric) key encryption

• Message is encoded using granularity of light (quantum noise); pattern is revealed only through use of secret key

Security & Electronic Business

• Security: Major Control Issue for Management• Commercially Sensitive Data MUST be kept private• Transmitted data MUST be protected against alteration by someone

other than the sender (e.g. Stock Market Execution Order)

• Encryption Standards:– SSL (Secure Sockets Layer)– S-http (Secure http transmission: visual cues – locked padlock)– SET (Secure Electronic Transactions) (Visa and MasterCard)

• Other Payment Methods:– e-cash; electronic cheques; digital wallets, e.g Microsoft Wallet

Securing Communication Channels

• Secure Sockets Layer (SSL): Most common form of securing channels of communication; used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted)

• S-HTTP: Alternative method; provides a secure message-oriented communications protocol designed for use in conjunction with HTTP

• Virtual Private Networks (VPNs): Allow remote users to access internal networks securely via the Internet, using Point-to-Point Tunneling Protocol (PPTP)

SSL

Security: Use of VPN• A VPN is an Extranet• An Extranet connects companies with suppliers or other companies, and can take

any of the following forms:– A public network– A secure (private) network– A Virtual Private Network (VPN)

• VPN uses public networks and protocols to send sensitive data to partners, customers, suppliers and employees using a system called “tunnelling” or “encapsulation”

• Tunnels are private passageways through the public Internet that provide secure transmission from one extranet to another

• VPN provides security shells, with the most sensitive data under tightest control.

How does VPN work?• Company employees in remote locations can send information to the company without

outsiders “seeing” the data.• Data is sent over the public Internet, with additional

– Data encryption (to scramble the communications)– Authentication (to ensure that the data has not been altered in transit,

and comes from a legitimate source)– Access control (to regulate who can access the network - password protection

and other security measures)• Benefits of VPN: MUCH cheaper than alternative methods of secure communication. • Alternatives:

– Private leased line (expensive, and not easily scaleable)– Dial-up to Remote Access Server (RAS) using a bank of modems to obtain direct access to the

company LAN.

Technical Issues• Maintaining Confidentiality and Integrity of Data• How? Protocol tunnelling:

– Data packets are first encrypted,– then encapsulated into IP packets for transmission across the Internet,– and then decrypted (using a special host computer or router)

• Protocol tunnelling also supports multiprotocol networking (e.g. LANs typically employ protocols such as Novell’s IPX, which need to be encrypted for IP packet transmission, then encapsulated and read at the other end). To users the data appears as if they are directly connected to the LAN

• Protocols used: 1. Point-to-point (PTP) [implemented by Microsoft, and used in Windows NT, Windows 2000, Win XP];

2. Layer 2 Tunnelling Protocol (L2TP) - becoming the standard

Creating a VPN• L2TP: Multivendor interoperability is important• Often combined with IPSec [IP Security standard, developed by IETF]• Three crucial technology components:

– Firewall products (hardware and software) [Activity: Find out what a Firewall is](Visit Check Point Software Technologies)

– Routers (can operate as firewalls as well as routers) can ALSO operate as VPN servers– Software applications that operate as complete VPN service providers

(visit www.vpnc.org/features-chart.html for a comparative list of features and benefits of a range of commercial VPN Products)

• Many telecoms companies and ISPs offer VPN services for dial-up and PTP communications. Often these include private network service backbones with added security services, Internet connectivity and dial-up (e.g AT&T; PSINet; Cable & Wireless (at the moment!) etc.

Network Protection

• Firewall: Software application that acts as a filter between a company’s private network and the Internet

• Firewall methods include: Packet filters Application gateways

• Proxy servers: Software servers that handle all communications originating from for being sent to the Internet (act as “spokesperson” or “bodyguard” for the organization)

Firewalls and Proxy Servers

e-Business and Fraud

• Internet Stocks Fraud– SEC brought charges against 44 companies and individuals who illegally

promoted stocks on computer bulletin boards, online newsletters and investment Web sites

• Other Financial Fraud– Selling bogus investments, phantom business opportunities, and other fraud

schemes

• Other Fraud in EC– Customers may

• receive poor quality products and services• not get products in time• be asked to pay for things they assume will be paid for by sellers

Common online scams

• Business opportunities• Bulk mail solicitors• Investment opportunities• Work-at-home schemes• Health and diet schemes• Effortless income• Nigerian Scam• “phishing”• Identity Theft

• Guaranteed loans or credit,on easy terms

• Free goods• Chain letters• Cable descrambler kits• Credit repair• Vacation prize promotions• Lottery “wins”

Protection for Sellers• Sellers must be protected against:

– Use of their names by others (Identity Theft - fastest growing white-collar crime)

– Use of their unique words and phrases, names, and slogans, trademarks, and their web addresses

– Dealing with customers who deny that they placed an order– Other potential legal issues related to sellers’ protection– Customers downloading copyrighted software and/or knowledge and selling it

to others– Not being properly paid for products and services provided

Government Initiatives

• 2002 Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks has 9 principles: Awareness Responsibility Response Ethics Democracy Risk assessment Security design and implementation Security management Reassessment

Electronic Payments

PayPal

• One of e-commerce’s major success stories:• Went public in 2002; acquired by eBay October 2002 for $1.5

billion• An example of a “peer-to-peer” payment system• Fills a niche that credit card companies avoided –

individuals and small merchants• Piggybacks on existing credit card and checking payment

systems• Weakness: suffers from relatively high levels of fraud• Competitors include Western Union (MoneyZap), AOL

(AOLQuickcash) and Citibank (C2it)

Types of Payment Systems

• Cash• Cheques (Bank Transfers)• Credit Card• Stored Value• Accumulating Balance

Cheques

• Funds transferred directly via a signed draft or checkfrom a consumer’s current account to a merchant or other individual

• Most common form of payment in terms of amount spend• Can be used for both small and large transactions• Allows for some float

(Funds committed to be paid but not yet paid. )• Not anonymous, require third-party intervention (banks)• Introduce security risks for merchants (forgeries, stopped

payments), so authentication is typically required

Stored Value/Accumulating Balance

• Stored Value• Accounts created by depositing funds into an account

and from which funds are paid out or withdrawn as needed

• Examples: Debit cards, gift certificates, prepaid cards, smart cards

• Debit cards: Immediately debit a current or other demand-deposit account

• Peer-to-peer payment systems such as PayPal• Accumulating Balance

• Accounts that accumulate expenditures and to which consumers make period payments

• Examples: utility, phone, American Express accounts

Online Payment Systems

• Credit cards are dominant form of online payment, accounting for around 80%+ of online payments (in B2C) in 2006

• New forms of electronic payment include: Digital cash Online stored value systems Digital accumulating balance payment systems Digital credit accounts Digital cheques

Merchant’ Actual and Preferred Methods

Limitations of CC Online

• Security – neither merchant nor consumer can be fully authenticated

• Cost – for merchants, around 3.5% of purchase price plus transaction fee of 20-30 cents (US) per transaction

• Social equity – many people do not have access to credit cards (young adults, plus others who cannot afford cards or are considered poor risk)

Digital Divide (US)

• Digital Divide: Some groups don’t have same access to computers and Internet that others do

• Digital “have nots” include: • Households with incomes below $35,000• Those without college educations• People living in rural areas• African-Americans and Hispanics• Seniors over 65• Disabled

• Most recent Department of Commerce study --most of above groups gaining access to computers and Internet due to falling computer prices and free or low cost ISPs

• But without credit cards, still hard for people to shop online

Digital Wallets

• Concept of digital wallet relevant to many of the new digital payment systems

• Seeks to emulate the functionality of traditional wallet• Most important functions:

Authenticate consumer through use of digital certificates or other encryption methods

Store and transfer value Secure payment process from consumer to merchant

• Two major categories: Client-based digital wallets – Gator.com, MasterCard Wallet Server-based digital wallets – MSN Wallet

Functionality

Digital Cash

• One of the first forms of alternative payment systems• Not really “cash” – rather, are forms of value storage and value

exchange that have limited convertibility into other forms of value, and require intermediaries to convert

• Many early examples have disappeared; concepts survive as part of P2P payment systems http://www.ex.ac.uk/~RDavies/arian/emoney.html

Examples

Online Stored Value Systems

• Permit consumers to make instant, online payments to merchants and other individuals based on value stored in an online account

• Rely on value stored in a consumer’s bank, checking or credit card account

Use of Biometrics

• Photo of face• Fingerprints• Hand geometry• Blood vessel pattern in the retina of a person’s

eye• Voice• Signature• Keystroke dynamics

E-Signatures

• Electronic Signatures in Global and National Commerce Act (E-Sign Law): Went into effect October 2001 in US

• Gives as much legal weight to electronic signature as to traditional version

• So far, not much impact• Companies such as Silanis and others still moving ahead with

new e-signature options• http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci21195

3,00.html

• http://www.thefreedictionary.com/e-signature

Digital Signatures• Ensures confidentiality and integrity of message1. Use hash function to create “digest” of message

(standard hash functions may be obtained, Stein (1998):“Web Security: a Step by Step Reference Guide”, Addison-Wesley

2. Hash function result sent to recipient; recipient applies hash function and compares results

3. If identical, message has not been altered. Sender encrypts message, using recipient’s public key (produces block of cipher text)

4. Sender encrypts entire block of cipher text (again), using sender’s PRIVATE KEY. This produces a Digital Signature

5. This final step ensures authenticity, and prevents later repudiation.6. NB: The digital signature is UNIQUE, both to the individual sender AND TO INDIVIDUAL

DOCUMENTS

Digital Certificates• Even with all the previous techniques, some information is so sensitive that further security is

required• How do we know that people and institutions are who they claim?• Anyone can produce a public and private key combination, and claim to be Mickey Mouse, or

the Bank of England or Amazon.com• Before placing an order, it is worth ensuring that you REALLY are dealing with Amazon, and

not a spoofer• Solved by Digital Certificates: A digital document, issued by a trusted third party - a

Certification Authority (CA)• Digital Certificate contains: Name of Subject (or Company); Subject’s public key; Digital

Certificate Serial Number; Issue Date; Expiry Date; Digital Signature of CA (encrypted) + other information

• CAs: Verisign; TrustE; Government Agencies; etc.• See also, Pretty Good Privacy: www.pgpi.org

Issues for Discussion• SSL:

– communication protocol, included in most browser software• Common Method of Encrypting Credit Card Numbers• Does NOT verify ownership of credit card!!!• Used by Visa, MasterCard, American Express, etc.• Is SSL adequate in protecting purchaser from fraud?• Mondex Cards (and other Smart Cards) – higher security • Digital Wallet Systems (e.g. Gator)• Electronic Cheques (complete with digital signatures)• VeriSign; TrustE; other Trusted third Parties

Managerial Issues• Multinational corporations face different cultures in

the different countries in which they are doing business• Issues of privacy, ethics, etc. may seem to be tangential

to running a business, but ignoring them may hinder the operation of many organizations

• The impact of electronic commerce and the Internet can be so strong that the entire manner in which companies do business might be changed, with significant impacts on procedures, people, organizational structure, management, and business processes (for discussion)

Management and Security• What managerial issues arise relating to security?• Need for comprehensive and coherent Security Plan

1. Undertake a Risk Assessment2. Develop Security Policy3. Design and Develop a Security Implementation Plan4. Create a Security Team [important HR consideration]5. Create a Climate of Awareness in the company6. Put in Place a Security Management System (KMS)7. Perform Periodic Security Audits8. Keep the security systems updated

Security Tools

Encryption Firewalls Security tools

Access Controls

Authentication

IntrusionDetection

Security Management

NetworkSecurity Protocols

Virtual Private

Networks

TunnellingProxy Agent

Systems

Internet Security Environment

e-commerce Security Plan