pesewa presentations. reported fraud complaints how is security compromised? inadequate attention...
TRANSCRIPT
How is Security Compromised?
• Inadequate attention paid to security issues• IDENTITY THEFT
(need to take care over release of private details)• Failure to protect private information sent over Internet• Failure to create a “security awareness” environment within the
organization (a Managerial issue)• Malicious Software use: MALWARE
– Viruses– Spyware– Web Bugs– Hacking
• “phishing”• “pharming”
Key Security Issues
• Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party
• Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions
• Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet
• Confidentiality: ability to ensure that messages and data are available only to those authorized to view them
• Privacy: ability to control use of information a customer provides about himself or herself to merchant
• Availability: ability to ensure that an e-commerce site continues to function as intended
Security Perspectives
Security Issue Customer View Merchant ViewIntegrity of Data Has the data sent or received been
altered in any way in transit?Has the data on site been altered without authorisation? Is data from customer valid?
Nonrepudiation Can a party to an action laterdeny taking the action?
Can a Customer deny ordering products?
Authenticity Who am I dealing with? How can I be sure they are who they say they are?
What is the REAL identity of the Customer?
Confidentiality Can anyone other than the intended recipient read my messages?
Are messages or confidential data accessible to unauthorised persons?
Privacy Can I control information about myself transmitted to e-commerce merchant?
What use (if any) can be made of personal data collected as part of an e-commerce transaction? Is personal data used inappropriately?
Availability Can I get access to the site? Is the site operational?
Conflict Between Security and Other Issues
• Security vs. ease of use: the more security measures that are added, the more difficult a site is to use, and the slower it becomes
• Security vs. desire of individuals to act anonymously
Security Threats in e-business
• Three key points of vulnerability: Client Server Communications channel
• Most common threats: Malicious code Hacking and cybervandalism Credit card fraud/theft Spoofing Denial of service attacks Sniffing Insider jobs
Explanation of Terms
• Spoofing: Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else
• Denial of service (DoS) attack: Hackers flood Web site with useless traffic to inundate and overwhelm network
• Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target network from numerous launch points
• Sniffing: type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network
• “phishing”: http://www.webopedia.com/TERM/p/phishing.html• “pharming”: http://en.wikipedia.org/wiki/Pharming• Insider jobs: single largest financial threat
Hacking and Cybervandalism
• Hacker: Individual who intends to gain unauthorized access to computer systems
• Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably)
• Cybervandalism: Intentionally disrupting, defacing or destroying a Web site
• Types of hackers include: White hats – Used by corporate security departments
to test their own security measures Black hats – Act with the intention of causing harm Grey hats – Believe they are pursuing some greater
good by breaking in and revealing system flaws
Credit Card Fraud
• Fear that credit card information will be stolen deters online purchases
• Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity
• One solution: New identity verification mechanisms• Tighter Data Encryption
Merchant Pays (B2C)
• Many security procedures that credit card companies use offline are not applicable online (e.g. face-to-face meeting)
• As a result, credit card companies have shifted most of the risks associated with e-commerce credit card transactions to merchants
• Percentage of Internet transactions charged back to online merchants much higher than for traditional retailers (3-10% online compared to 0-1% offline)
• To protect themselves, merchants can: Refuse to process overseas purchases Insist that credit card and shipping address match Require users to input 3-digit security code printed on back of card Use anti-fraud software
• Credit card company solutions include: Verified by Visa (Visa) SecureCode (MasterCard) Requiring issuing banks to assume a large share of risk and liability
Privacy Protection
– 5 basic principles• Notice/Awareness— Customers must be given notice and be able to
make informed decisions.
• Choice/Consent— Customers must be made aware of their options as to how their personal information may be used. Consent may be granted through ‘opt-Out’ clauses requiring steps.
• Access/Participation— Consumers must be able to access their personal information and challenge the validity of the data.
• Integrity/security— Consumers must be assured that the data is secure and accurate.
• Enforcement/Redress— There must always exist a method of enforcement and remedy. The alternatives are government intervention, legislation for private remedies, or self-regulation.
Encryption
• Encryption: The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver
• Purpose: Secure stored information Secure information transmission
• Provides: Message integrity Nonrepudiation Authentication Confidentiality
Encryption
• Encryption Technology intended to Make Internet Communication SECURE;
• Strong Encryption: 3.09 x 1026 times more difficult to decode than previous exportable technologies!
• Leads to … 128 & 256-bit Encryption Debate -• Industry wants Strong Encryption, to stimulate
growth of e-Business• US Government reluctant to release 256-bit system:– Potential criminal activity– “Hostile” Government use, etc.
Encryption:Principles
• Based on Principles of Cryptography (Ancient Greece)
• Four Basic Principles:1. Plain Text: Original Message (readable format)2. Cipher Text: Encrypted to render it unreadable3. Encryption Algorithm: Mathematical Formulae4. Key: Encryption and Decryption of Message
• Can use Different Algorithms for Encryption• Message remains secure as long as key is unknown• Length of Key Determines Level of Security
Symmetric (Synchronous) Key
• Also known as secret key encryption• Both the sender and receiver use the same digital key to encrypt
and decrypt message• Requires a different set of keys for each transaction• Data Encryption Standard (DES): Most widely used symmetric key
encryption today; uses 56-bit encryption key; other types use 128-bit keys up through 2048 bits
Encryption: Public and Private Keys
MessageText
Private Key Private Key
MessageText
EncryptedText
Encryption Decryption
Synchronous (Private Key) Encryption
MessageText
MessageText
EncryptedText
Encryption Decryption
Public Key of Sender
Asymmetrical (Public Key) Encryption
Private Key of Recipient
Encryption: Issues• Private Key Encryption:
– Much Internet Traffic - between unknown people and machines– Web Servers face large amounts of traffic: Private Key Numbers might be
cracked, leaked or stolen;• Led to Development of Public Key Encryption:
– Pair of Keys: Public and Private– Public Key available to anyone wishing to send encrypted data– Data can only be decrypted with Private Key
(no need to agree on keys in advance of data transfer)– Only 3 or 4 (published) Public Key Encryption Algorithms
Public Key Encryption
• Public key cryptography solves symmetric key encryption problem of having to exchange secret key
• Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner)
• Both keys are used to encrypt and decrypt message• Once key is used to encrypt message, same key cannot be
used to decrypt message• For example, sender uses recipient’s public key to encrypt
message; recipient uses his/her private key to decrypt it
Using Signatures and Hash Key
• Application of hash function (mathematical algorithm) by sender prior to encryption produces hash digest that recipient can use to verify integrity of data
• Double encryption (digital envelope) with sender’s private key (digital signature) helps ensure authenticity and nonrepudiation
Digital Envelopes
• Addresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure)
• Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key
Digital Certificates and PKI
• Digital certificate: Digital document that includes: Name of subject or company Subject’s public key Digital certificate serial number Expiration date Issuance date Digital signature of certification authority (trusted third
party (institution) that issues certificate Other identifying information
• Public Key Infrastructure (PKI): refers to the Certification Authorities (CAs) and digital certificate procedures that are accepted by all parties
Limits to Encryption
• PKI applies mainly to protecting messages in transit
• PKI is not effective against insiders• Protection of private keys by individuals may
be haphazard• No guarantee that verifying computer of
merchant is secure• CAs are unregulated, self-selecting organizations
Quantum Cryptography
• Existing encryption systems are subject to failure as computers become more powerful
• Scientists at Northwestern University have developed a high-speed quantum cryptography method
• Uses lasers and optical technology and a form of secret (symmetric) key encryption
• Message is encoded using granularity of light (quantum noise); pattern is revealed only through use of secret key
Security & Electronic Business
• Security: Major Control Issue for Management• Commercially Sensitive Data MUST be kept private• Transmitted data MUST be protected against alteration by someone
other than the sender (e.g. Stock Market Execution Order)
• Encryption Standards:– SSL (Secure Sockets Layer)– S-http (Secure http transmission: visual cues – locked padlock)– SET (Secure Electronic Transactions) (Visa and MasterCard)
• Other Payment Methods:– e-cash; electronic cheques; digital wallets, e.g Microsoft Wallet
Securing Communication Channels
• Secure Sockets Layer (SSL): Most common form of securing channels of communication; used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted)
• S-HTTP: Alternative method; provides a secure message-oriented communications protocol designed for use in conjunction with HTTP
• Virtual Private Networks (VPNs): Allow remote users to access internal networks securely via the Internet, using Point-to-Point Tunneling Protocol (PPTP)
Security: Use of VPN• A VPN is an Extranet• An Extranet connects companies with suppliers or other companies, and can take
any of the following forms:– A public network– A secure (private) network– A Virtual Private Network (VPN)
• VPN uses public networks and protocols to send sensitive data to partners, customers, suppliers and employees using a system called “tunnelling” or “encapsulation”
• Tunnels are private passageways through the public Internet that provide secure transmission from one extranet to another
• VPN provides security shells, with the most sensitive data under tightest control.
How does VPN work?• Company employees in remote locations can send information to the company without
outsiders “seeing” the data.• Data is sent over the public Internet, with additional
– Data encryption (to scramble the communications)– Authentication (to ensure that the data has not been altered in transit,
and comes from a legitimate source)– Access control (to regulate who can access the network - password protection
and other security measures)• Benefits of VPN: MUCH cheaper than alternative methods of secure communication. • Alternatives:
– Private leased line (expensive, and not easily scaleable)– Dial-up to Remote Access Server (RAS) using a bank of modems to obtain direct access to the
company LAN.
Technical Issues• Maintaining Confidentiality and Integrity of Data• How? Protocol tunnelling:
– Data packets are first encrypted,– then encapsulated into IP packets for transmission across the Internet,– and then decrypted (using a special host computer or router)
• Protocol tunnelling also supports multiprotocol networking (e.g. LANs typically employ protocols such as Novell’s IPX, which need to be encrypted for IP packet transmission, then encapsulated and read at the other end). To users the data appears as if they are directly connected to the LAN
• Protocols used: 1. Point-to-point (PTP) [implemented by Microsoft, and used in Windows NT, Windows 2000, Win XP];
2. Layer 2 Tunnelling Protocol (L2TP) - becoming the standard
Creating a VPN• L2TP: Multivendor interoperability is important• Often combined with IPSec [IP Security standard, developed by IETF]• Three crucial technology components:
– Firewall products (hardware and software) [Activity: Find out what a Firewall is](Visit Check Point Software Technologies)
– Routers (can operate as firewalls as well as routers) can ALSO operate as VPN servers– Software applications that operate as complete VPN service providers
(visit www.vpnc.org/features-chart.html for a comparative list of features and benefits of a range of commercial VPN Products)
• Many telecoms companies and ISPs offer VPN services for dial-up and PTP communications. Often these include private network service backbones with added security services, Internet connectivity and dial-up (e.g AT&T; PSINet; Cable & Wireless (at the moment!) etc.
Network Protection
• Firewall: Software application that acts as a filter between a company’s private network and the Internet
• Firewall methods include: Packet filters Application gateways
• Proxy servers: Software servers that handle all communications originating from for being sent to the Internet (act as “spokesperson” or “bodyguard” for the organization)
e-Business and Fraud
• Internet Stocks Fraud– SEC brought charges against 44 companies and individuals who illegally
promoted stocks on computer bulletin boards, online newsletters and investment Web sites
• Other Financial Fraud– Selling bogus investments, phantom business opportunities, and other fraud
schemes
• Other Fraud in EC– Customers may
• receive poor quality products and services• not get products in time• be asked to pay for things they assume will be paid for by sellers
Common online scams
• Business opportunities• Bulk mail solicitors• Investment opportunities• Work-at-home schemes• Health and diet schemes• Effortless income• Nigerian Scam• “phishing”• Identity Theft
• Guaranteed loans or credit,on easy terms
• Free goods• Chain letters• Cable descrambler kits• Credit repair• Vacation prize promotions• Lottery “wins”
Protection for Sellers• Sellers must be protected against:
– Use of their names by others (Identity Theft - fastest growing white-collar crime)
– Use of their unique words and phrases, names, and slogans, trademarks, and their web addresses
– Dealing with customers who deny that they placed an order– Other potential legal issues related to sellers’ protection– Customers downloading copyrighted software and/or knowledge and selling it
to others– Not being properly paid for products and services provided
Government Initiatives
• 2002 Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks has 9 principles: Awareness Responsibility Response Ethics Democracy Risk assessment Security design and implementation Security management Reassessment
PayPal
• One of e-commerce’s major success stories:• Went public in 2002; acquired by eBay October 2002 for $1.5
billion• An example of a “peer-to-peer” payment system• Fills a niche that credit card companies avoided –
individuals and small merchants• Piggybacks on existing credit card and checking payment
systems• Weakness: suffers from relatively high levels of fraud• Competitors include Western Union (MoneyZap), AOL
(AOLQuickcash) and Citibank (C2it)
Types of Payment Systems
• Cash• Cheques (Bank Transfers)• Credit Card• Stored Value• Accumulating Balance
Cheques
• Funds transferred directly via a signed draft or checkfrom a consumer’s current account to a merchant or other individual
• Most common form of payment in terms of amount spend• Can be used for both small and large transactions• Allows for some float
(Funds committed to be paid but not yet paid. )• Not anonymous, require third-party intervention (banks)• Introduce security risks for merchants (forgeries, stopped
payments), so authentication is typically required
Stored Value/Accumulating Balance
• Stored Value• Accounts created by depositing funds into an account
and from which funds are paid out or withdrawn as needed
• Examples: Debit cards, gift certificates, prepaid cards, smart cards
• Debit cards: Immediately debit a current or other demand-deposit account
• Peer-to-peer payment systems such as PayPal• Accumulating Balance
• Accounts that accumulate expenditures and to which consumers make period payments
• Examples: utility, phone, American Express accounts
Online Payment Systems
• Credit cards are dominant form of online payment, accounting for around 80%+ of online payments (in B2C) in 2006
• New forms of electronic payment include: Digital cash Online stored value systems Digital accumulating balance payment systems Digital credit accounts Digital cheques
Limitations of CC Online
• Security – neither merchant nor consumer can be fully authenticated
• Cost – for merchants, around 3.5% of purchase price plus transaction fee of 20-30 cents (US) per transaction
• Social equity – many people do not have access to credit cards (young adults, plus others who cannot afford cards or are considered poor risk)
Digital Divide (US)
• Digital Divide: Some groups don’t have same access to computers and Internet that others do
• Digital “have nots” include: • Households with incomes below $35,000• Those without college educations• People living in rural areas• African-Americans and Hispanics• Seniors over 65• Disabled
• Most recent Department of Commerce study --most of above groups gaining access to computers and Internet due to falling computer prices and free or low cost ISPs
• But without credit cards, still hard for people to shop online
Digital Wallets
• Concept of digital wallet relevant to many of the new digital payment systems
• Seeks to emulate the functionality of traditional wallet• Most important functions:
Authenticate consumer through use of digital certificates or other encryption methods
Store and transfer value Secure payment process from consumer to merchant
• Two major categories: Client-based digital wallets – Gator.com, MasterCard Wallet Server-based digital wallets – MSN Wallet
Digital Cash
• One of the first forms of alternative payment systems• Not really “cash” – rather, are forms of value storage and value
exchange that have limited convertibility into other forms of value, and require intermediaries to convert
• Many early examples have disappeared; concepts survive as part of P2P payment systems http://www.ex.ac.uk/~RDavies/arian/emoney.html
Online Stored Value Systems
• Permit consumers to make instant, online payments to merchants and other individuals based on value stored in an online account
• Rely on value stored in a consumer’s bank, checking or credit card account
Use of Biometrics
• Photo of face• Fingerprints• Hand geometry• Blood vessel pattern in the retina of a person’s
eye• Voice• Signature• Keystroke dynamics
E-Signatures
• Electronic Signatures in Global and National Commerce Act (E-Sign Law): Went into effect October 2001 in US
• Gives as much legal weight to electronic signature as to traditional version
• So far, not much impact• Companies such as Silanis and others still moving ahead with
new e-signature options• http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci21195
3,00.html
• http://www.thefreedictionary.com/e-signature
Digital Signatures• Ensures confidentiality and integrity of message1. Use hash function to create “digest” of message
(standard hash functions may be obtained, Stein (1998):“Web Security: a Step by Step Reference Guide”, Addison-Wesley
2. Hash function result sent to recipient; recipient applies hash function and compares results
3. If identical, message has not been altered. Sender encrypts message, using recipient’s public key (produces block of cipher text)
4. Sender encrypts entire block of cipher text (again), using sender’s PRIVATE KEY. This produces a Digital Signature
5. This final step ensures authenticity, and prevents later repudiation.6. NB: The digital signature is UNIQUE, both to the individual sender AND TO INDIVIDUAL
DOCUMENTS
Digital Certificates• Even with all the previous techniques, some information is so sensitive that further security is
required• How do we know that people and institutions are who they claim?• Anyone can produce a public and private key combination, and claim to be Mickey Mouse, or
the Bank of England or Amazon.com• Before placing an order, it is worth ensuring that you REALLY are dealing with Amazon, and
not a spoofer• Solved by Digital Certificates: A digital document, issued by a trusted third party - a
Certification Authority (CA)• Digital Certificate contains: Name of Subject (or Company); Subject’s public key; Digital
Certificate Serial Number; Issue Date; Expiry Date; Digital Signature of CA (encrypted) + other information
• CAs: Verisign; TrustE; Government Agencies; etc.• See also, Pretty Good Privacy: www.pgpi.org
Issues for Discussion• SSL:
– communication protocol, included in most browser software• Common Method of Encrypting Credit Card Numbers• Does NOT verify ownership of credit card!!!• Used by Visa, MasterCard, American Express, etc.• Is SSL adequate in protecting purchaser from fraud?• Mondex Cards (and other Smart Cards) – higher security • Digital Wallet Systems (e.g. Gator)• Electronic Cheques (complete with digital signatures)• VeriSign; TrustE; other Trusted third Parties
Managerial Issues• Multinational corporations face different cultures in
the different countries in which they are doing business• Issues of privacy, ethics, etc. may seem to be tangential
to running a business, but ignoring them may hinder the operation of many organizations
• The impact of electronic commerce and the Internet can be so strong that the entire manner in which companies do business might be changed, with significant impacts on procedures, people, organizational structure, management, and business processes (for discussion)
Management and Security• What managerial issues arise relating to security?• Need for comprehensive and coherent Security Plan
1. Undertake a Risk Assessment2. Develop Security Policy3. Design and Develop a Security Implementation Plan4. Create a Security Team [important HR consideration]5. Create a Climate of Awareness in the company6. Put in Place a Security Management System (KMS)7. Perform Periodic Security Audits8. Keep the security systems updated
Security Tools
Encryption Firewalls Security tools
Access Controls
Authentication
IntrusionDetection
Security Management
NetworkSecurity Protocols
Virtual Private
Networks
TunnellingProxy Agent
Systems