MGT 3225: E-Business Lecture 6: E-commerce Security and Payment Systems Md. Mahbubul Alam, PhD

The E-commerce Security Environment The Internet is an open, vulnerable-design network, lacks many basic security features. Overall size and losses of cybercrime unclear Difficult to quantify the actual amount of the loss 2012 survey: Average annualized cost of cybercrime was $8.9 million/year Online credit card fraud & phishing attacks are perhaps the most high-profile form of e-commerce crimes. What is Good E-commerce security? To achieve highest degree of security New technologies Organizational policies and procedures Industry standards and government laws Other factors Time value of money perfect security of every item is not needed forever. Weigh the cost of security against the potential loss Security often breaks at weakest link

The E-commerce Security Environment E-commerce security is multi-layered, and must take into account new technology, policies, and procedures, and laws and industry standards.

Dimensions of E-commerce Security Integrity The ability of ensure that information being displayed on a Web site or transmitted or received over the Internet has not been altered in any way by an unauthorized party. Nonrepudiation The ability of ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. Authenticity The ability to identify the identify of a person or entity with whom you are dealing on the Internet. Confidentiality The ability to ensure that messages and data are available only to those who are authorized to view them. Privacy The ability to control the use of information about oneself. Availability The ability to ensure that an e-commerce site continues to function as intended.

Table 5.3, Page 254

The Tension Between Security and Other Values Ease of use The more security measures added, the more difficult a site is to use, and the slower it becomes. Too much security can harm profitability, while not enough security can potentially put you out of business. Public safety and criminal uses of the Internet Use of technology by criminals to plan crimes or threaten nation-state.

Security Threats in the E-commerce Environment Three key points of vulnerability in e-commerce environment: Client Server Communications pipeline (Internet communications channels)

A Typical E-commerce Transaction Figure 5.2, Page 256

Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257

Most Common Security Threats Malicious code (malware, exploits) Drive-by downloads Viruses replicate & spread to other programs Worms spread from computer to computer Ransomware restricting access, asking for payment. Trojan horses Backdoors remotely access Bots, botnets respond to external command Threats at both client and server levels Hacking Hackers vs. crackers (hacker with criminal intent) Types of hackers: White, black, grey hats Hacktivism Cybervandalism & data theft for political purposes. Potentially unwanted programs (PUPs), installed without user’s consent Browser parasites  monitor & change the setting of a browser. Adware servers pop-up ads. Spyware  collect info such as keystrokes, e-mail, IM & so on. Phishing, online attack by a third party to obtain confidential info for financial gain. Social engineering, exploitation of human fallibility & gullibility to distribute malware. E-mail scams Spear-phishing Identity fraud/theft Cybervandalism Disrupting, defacing, destroying Web site Data breach Losing control over corporate information to outsiders White hats good hackers, help org’s locate and fix security flaws Black hats act with intent of causing harm Grey hats  who believe they are pursuing some greater good by breaking in & reveling system flaws.

Most Common Security Threats (cont’d) Credit card fraud/theft Spoofing (hiding true identify by IP/ e-mail) and pharming (redirecting a Web link to an address different from the intended one.) Spam (junk) Web sites (link farms) collection of advertisements. Identity fraud/theft  unauthorized use of another person’s personal data for illegal purpose. Denial of service (DoS) attack  flooding a Web site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack using numerous computers to attack the target network from numerous launch points. Sniffing  Spying program that monitors information traveling over a network. Insider attacks Poorly designed server and client software Social network security issues Mobile platform security issues Vishing target naïve cell phone users with verbal messages to call a certain number. Smishing  exploit SMS/text messages. Madware  innocent-looking apps that contain adware that launches pop-up ads. Cloud security issues

Technology Solutions Protecting Internet communications Encryption Securing channels of communication SSL, VPNs Protecting networks Firewalls Protecting servers and clients

Encryption Transforms data into cipher text readable only by sender and receiver. Purpose: To secure stored information To secure information transmission Cipher text  text that has been encrypted and thus cannot be read by anyone other than the sender and the receiver. Provides 4 of 6 key dimensions of e-commerce security: Message integrity  assurance that the message has not been altered. Nonrepudiation  prevents the user from denying he/she sent the message. Authentication  provides verification of the identity of the person. Confidentiality  assurance that the message was not read by others.

Symmetric/Secret Key Encryption Both the sender and receiver use the same digital key to encrypt and decrypt message. Requires different set of keys for each transaction. Strength of encryption Length of binary key used to encrypt data. Data Encryption Standard (DES), uses a 56-bit encryption key. Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits

Public Key Encryption Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner) Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it.

Public Key Encryption using Digital Signatures and Hash Digests Hash function: Mathematical algorithm that produces fixed-length number called message or hash digest. Hash digest of message sent to recipient along with message to verify integrity Hash digest and message encrypted with recipient’s public key Entire cipher text then encrypted with sender’s private key—creating digital signature—for authenticity, nonrepudiation

Digital Envelopes Address weaknesses of: Public key encryption Computationally slow, decreased transmission speed, increased processing time Symmetric key encryption Insecure transmission lines Uses symmetric key encryption to encrypt document Uses public key encryption to encrypt and send symmetric key “Key within a key”

Digital Certificates and Public Key Infrastructure (PKI) Digital certificate includes: Name of subject/company Subject’s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA Public Key Infrastructure (PKI): CAs and digital certificate procedures (issue, verify, guarantee digital certificates. Pretty Good Privacy (PGP  pgpi.org.)

Limits to Encryption Solutions Doesn't protect storage of private key PKI not effective against insiders, employees Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is secure CAs are unregulated, self-selecting organizations Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Establishes secure, negotiated client–server session Virtual Private Network (VPN) Allows remote users to securely access internal network via the Internet Wireless (Wi-Fi) networks WPA2 Securing Channels of Communication

Secure Negotiated Sessions Using SSL/TLS Figure 5.10, Page 286

Protecting Networks Firewall Proxy servers (proxies) Hardware or software Uses security policy to filter packets Two main methods: Packet filters, examine data packets to determine whether they are destined for a prohibited port or originate from a prohibited IP address. Application gateways, filter communication based on the application being requested. Proxy servers (proxies) Software servers that handle all communications from or sent to the Internet Limit access of internal clients to external Internet servers. Dual-home system gateway for internal computers, mail server for external computers. Intrusion detection systems Examines network traffic, watching to see if it matches certain patterns or preconfigured rules indicative of an attack. Intrusion prevention systems Has all functionality of an IDS, with the additional ability to take steps to prevent and block suspicious activities.

Firewalls and Proxy Servers The Primary function of a firewall is to deny access by remote client computers to local computes. The primary purpose of a proxy server is to provide controlled access from local computes to remote computers.

Protecting Servers and Clients Operating system security enhancements Upgrades, patches Anti-virus software Easiest and least expensive way to prevent threats to system integrity Requires daily updates

Management Policies, Business Procedures, and Public Laws Worldwide, companies spend more than $65 billion on security hardware, software, services Managing risk includes: Technology Effective management policies Public laws and active enforcement A Security Plan: Management Policies Risk assessment Security policy Implementation plan Security organization  educate & trains users Access controls  determine who can gain legitimate access to a network. Authentication procedures, including biometrics  digital signature, digital certificates, PKI, biological & physical characteristics. Authorization policies, authorization management systems Security audit  routine review of access logs.

Electronic Payment Systems: Types Online credit card transactions, most popular, often default choice of payment for e-commerce. Digital Wallets, use NFC technology. User may pay by simply tapping his phone to a compatible POS terminal with a secret PIN. e.g., Google Checkout. Digital Cash, “currency” represented in an electronic form. e.g., Octopus Card in Hong Kong, Ez-link Card in Singapore. Electronic Cheques Online Stored Value System, e.g., PayPal. Digital Accumulating Balance Payment Systems, similar to “digital Wallets”, ideal for micro-transaction payments, allows user to make multiple purchases, which will be totaled up & billed for at the end of a time period. Mobile Commerce, “Wallet phone” No need card authentication or customer signature. e.g., Osaifu Keitai in Japan. NFC= Near Field Communication, a wireless technology.

How an Online Credit Transaction Works Figure 5.15, Page 302

Question Please ?