E-Commerce Infrastructure Chapter 4 E-Commerce Infrastructure

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Learning Objectives Understand the major components of EC infrastructure. Understand the importance and scope of security of information systems for EC. Learn about the major EC security Identify and assess major technologies and methods for securing EC access and communications. Describe various types of online payment. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1. Security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

The Information Security Problem Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction Security is needed for: Personal information Financial information Business information National information Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks There are many threats for EC security: Virus: A piece of software code that inserts itself into a program (host) and change the action of that program. Worm: A software program that runs independently, consuming the resources of its host. Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks banking Trojan: A Trojan that comes to life when computer owners visit an e-banking or e-commerce sites. denial-of-service (DoS) attack Using specialized software to send a flood of data packets to the target computer with the aim of overloading its resources Spam: The electronic equivalent of junk mail Hacker: Someone who gains unauthorized access to a computer system. Cracker: A malicious hacker that may change codes and steal information from the hacked systems. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks Zombies: Computers infected with malware page hijacking: Creating a rogue copy of a popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites Botnet: A huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet This techniques is called ‘Phishing’ Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Assurance Model Internet Security Assurance Model: Three security concepts important to information on the Internet: confidentiality, integrity, and availability Confidentiality: Assurance of data privacy and accuracy. Integrity: Assurance that stored data has not been modified without authorization; a message that was sent is the same message as that which was received Availability: Assurance that access to data, the website, or other EC data service is timely, available, reliable, and restricted to authorized users Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Defense Strategy EC Security Requirements Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it Auditing Availability Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Defense Strategy EC Security Requirements Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it Auditing Availability Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Defense Strategy Some of the technologies used to provide EC Security: Anti-virus: to protect a computer from viruses Anti-spy: to protect a computer from spywares Firewall: to protect a network from unauthorized access Secured Socket Layer (SSL): used to encrypt data transferred between the server and the client. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2. Payment Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

The Payment Revolution There are different methods for online payment: Using Payment Cards Smart Cards Stored-Value Cards Micropayment E-Checks Mobile Payment Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

The Payment Revolution Choosing the E-Payment Method: Critical factors that affect choosing a particular method of e-payment can be: Independence Portability Security. Ease of Use Transaction Fees International Support Regulations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Using Payment Cards Online Electronic card that contains information that can be used for payment purposes Credit cards Charge cards Debit cards PROCESSING CARDS ONLINE Authorization: Determines whether a buyer’s card is active and whether the customer has sufficient funds Settlement: Transferring money from the buyer’s to the merchant’s account Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Using Payment Cards Online FRAUDULENT CARD TRANSACTIONS Key tools used in combating fraud: Address Verification System (AVS) Detects fraud by comparing the address entered on a Web page with the address information on file with the cardholder’s issuing bank card verification number (CVN) Detects fraud by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholder’s issuing bank Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Smart Cards smart card An electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card contact card A smart card containing a small gold plate on the face that when inserted in a smart card reader makes contact and passes data to and from the embedded microchip contactless (proximity) card A smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device without contact between the card and the card reader Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Smart Cards smart card reader Activates and reads the contents of the chip on a smart card, usually passing the information on to a host system smart card operating system Special system that handles file management, security, input/output (I/O), and command execution and provides an application programming interface (API) for a smart card Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Stored-Value Cards stored-value card A card that has monetary value loaded onto it and that is usually rechargeable Stored-value cards come in two varieties: Closed loop are single-purpose cards issued by a specific merchant or merchant group Open loop are multipurpose cards that can be used to make debit transactions at a variety of retailers Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall E-Micropayments e-micropayments: Small online payments, typically under $10 can be done using : Aggregation Direct payment Stored value Subscriptions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall E-Checking e-check A legally valid electronic version or representation of a paper check Automated Clearing House (ACH) Network A nationwide batch-oriented electronic funds transfer system that provides for the interbank clearing of electronic payments for participating financial institutions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Mobile Payments Mobile payment: payment transactions initiated or confirmed using a person’s cell phone or smartphone Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall