1. E-commerce 2014 Kenneth C. Laudon Carol Guercio Traver business. technology. society. tenth edition Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

2. Chapter 5 E-commerce Security and Payment Systems Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

3. Class Discussion Cyberwar: MAD 2.0 What is the difference between hacking and cyberwar? Why has cyberwar become more potentially devastating in the past decade? Why has Google been the target of so many cyberattacks? Is it possible to find a political solution to MAD 2.0? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-3

4. The E-commerce Security Environment Figure 5.1, Page 252 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-4

5. Dimensions of E-commerce Security Integrity ensures that info sent and received has not been altered by unauthorized party Nonrepudiation ability to ensure that participants do not deny (repudiate) their online actions Authenticity ability to identify the person’s identity with whom you are dealing with over the internet Confidentiality authorized to be seen by those who should view it Privacy ability to control who sees your info Availability e-commerce site functions as intended Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-5

6. Table 5.3, Page 254 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-6

7. The Tension Between Security and Other Values Ease of use  The more security measures added, the more difficult a site is to use, and the slower it becomes  Security costs money and too much of it can reduce profitability Public safety and criminal uses of the Internet  Use of technology by criminals to plan crimes or threaten nation-state Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-7

8. Security Threats in E-commerce Environment Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-8

9. A Typical E-commerce Transaction Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-9

10. Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-10

11. Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits)  Drive-by downloads malware that comes with a downloaded file the user intentionally or unintentionally request  Viruses  Worms spread from computer to comp without human intervention  Ransomware (scareware) used to solicit money from users by locking up your browser or files and displaying fake notices from FBI or IRS etc  Trojan horses appear benign but is a way to introduce viruses into a computer system  Threats at both client and server levels Slide 5-11

12. Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits)  Backdoors introduce viruses, worms, etc. that allow an attacker to remotely access a computer  Botnets are a collection of captured bot computers or zombies used to send spam, DDoS attacks, steal information from computers, and store network traffic for later analysis.  Bots, as in robots, are malicious code that can be covertly installed on a computer when connected to the internet. Once installed, they respond to external commands from the attacker Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-12

13. Most Common Security Threats (cont.) Potentially unwanted programs (PUPs)  Example Vista antispyware 2013 infects computers running Vista  Browser parasites changes your computer settings  Adware displays calls for pop-up ads when you visit sites  Spyware may be used to obtain information such as keystrokes, email, IM etc. Phishing  Social engineering relies on human curiosity, greed, and gullibility to trick users into taking action that results into downloading malware  E-mail scams  Spear-phishing spear phishing messages appear to come from a trusted source  Identity fraud/theft Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-13

14. Most Common Security Threats (cont.) Hacking  Hackers gain unauthorized access White hat role is to help identify and fix vulnerabilities Black hat intent on causing hard Grey hat breaks in to expose flaws and report them without disrupting the company. They may even try to profit from the event  Crackers have criminal intent  Hacktivist are politically motivated (Green Peace) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-14

15. Most Common Security Threats (cont.) Cybervandalism:  Disrupting, defacing, destroying Web site Data breach  Losing control over corporate information to outsiders Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-15

16. Insight on Business: Class Discussion We Are Legion What organization and technical failures led to the data breach on the PlayStation Network? Are there any positive social benefits of hacktivism? Have you or anyone you know experienced data breaches or cybervandalism? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-16

17. Most Common Security Threats (cont.) Credit card fraud/theft Spoofing involves attempting to hide a true identity by using someone else’s email or IP address Pharming automatically directing a web link to a fake address Spam (junk) Web sites (link farms) promise to offer products but are just full of ads Identity fraud/theft involves unauthorized/illegal use of another person’s data Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-17

18. Most Common Security Threats (cont.) Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack uses numerous computers to launch attacks on sites or computers systems. The attack comes from several locations Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-18

19. Most Common Security Threats (cont.) Sniffing, a sniffer is a type of eavesdropping program that monitors information traveling over a network Insider attacks caused by employees Poorly designed server and client software leads to SQL injection attacks by taking advantage of poorly coded applications that fails to validate data entered by web users Zero-Day vulnerability software vulnerability that is reported but no current fix exists Social network security issues Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-19

20. Most Common Security Threats (cont.) Mobile platform security issues  Vishing targets gullible cell ph users with verbal messages to call  Smishing exploits SMS/text messages that may contain links and other personal info that may be exploited  Madware is innocent looking apps containing adware that launches pop-up ads and text messages on you mobile device (mobile + adware = madware) Cloud security issues example, DDoS attacks threaten the availability and viability of cloud services Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-20

21. Insight on Technology: Class Discussion Think Your Smartphone Is Secure? What types of threats do smartphones face? Are there any particular vulnerabilities to this type of device? Are apps more or less likely to be subject to threats than traditional PC software programs? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-21

22. Technology Solutions Protecting Internet communications  Encryption altering plain text so that it cannot be read by anyone other than the sender & receiver  It provides security for 4 of 6 security dimensions Integrity by ensuring the messages has not been tampered with Nonrepudiation by preventing users from denying they sent the message Authentication by verifying the person’s identity or computer sending the message Confidentiality by ensuring the message was not read by others Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-22

23. Types of Encryption Cipher where letters of the message are replaced systematically by another letter Transportation cipher ordering the letters in some systematic way e.g., reverse order Symmetric key both sender and receiver use the same key to encrypt and decrypt the message. The key is sent over a secure line or exchanged in person Data Encryption Stds developed by IBM and NSA; now we have 128, 192, and 256 bit encryption  Google coming out with 2048 bit keys Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-23

24. Symmetric Key Encryption Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption  Length of binary key used to encrypt data Data Encryption Standard (DES) Advanced Encryption Standard (AES)  Most widely used symmetric key encryption  Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-24

25. Common ways of Sending of Keys The establishment of symmetric keys can be performed in several ways: (Authenticated) Key Agreement (KA) Sending of an (authenticated) encrypted key, also known as key wrapping Derivation from a base key using a Key Derivation Function (KDF), using other data as input, for instance a unique number. If derivation is used for multiple devices it is often called key diversification. Any kind of "out of band" procedure,  by a previous telephone call  sending a letter  meeting in a pub (handing over a USB stick or other data carrier) Creating a key from key parts held by different persons Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-25

26. Public Key Encryption using Digital Signatures and Hash Digests Hash function:  Mathematical algorithm that produces fixed-length number called message or hash digest Hash digest of message sent to recipient along with message to verify integrity Hash digest and message encrypted with recipient’s public key Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-26

27. Hashing Possible two different hash functions generate identical hash values but extremely unlikely Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-27 For example, in Java, the hash code is a 32-bit integer.

28. Types of Encryption Public Key there are two mathematically related keys, a public key and private key. Private key kept secretly by owner and public key disseminated to the public. Both keys are used to encrypt and decrypt the message. Once the keys are used, they can no longer be used to unencrypt the message. They are one-way irreversible functions. Hash function creates a fixed length number that replaces the original message, then the hash is used to recreate the message on the recipient side (fig 5.7) Digital signature is a signed cipher text sent over the internet Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-28

29. Types of Encryption Digital envelope uses symmetric encryption for large docs Digital certificate (DC) issues by trusted 3 rd party known as certification authority that contains (the subject name, public key, digital cert serial #, exp date, issuance date and digital signature)  There are various types of certs (personal, institutional, web server, software publ, and CA’s)  Verisign, post office, Fed Reserve issue certs Key infrastructure (PKI) when you sign into a secure site you see the “s” or the lock which means the site has a digital certificate issued by a CA Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-29

30. Technology Solutions Securing channels of communication  Secure Socket Layer; a secure negotiated session is a client server session in which the URL of the requested doc, its contents, and cookies are encrypted through a series of communication handshakes between computers. A unique symmetric encryption session key is chosen for each session  VPNs allow computers to securely communicate via tunneling by adding invisible encrypted wrappers around messages to hide their contents Slide 5-30

31. Technology Solutions Securing channels of communication  Protecting networks  Firewalls are hard/software that filters comm packets and prevent unauthorized access  They filter traffic based on packets, IP address, type of service http, www, domain name etc  2 Ways to validate traffic Packet filters examine whether they are destined for a prohibited port or originate from one App gateway filters traffic based on the app being requested Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-31

32. Technology Solutions Proxy servers are software servers that handle comm by acting as a spokesperson and body guard for the organization. To local computers, proxy servers are known as a gateway, but to external servers known as mail server. Proxy servers sit betw users and back end systems. They may be used to restrict access by employees. Securing channels of communication  Protecting networks Slide 5-32

33. Technology Solutions Securing channels of communication  Protecting networks Intrusion detection systems IDS monitor traffic looking for patterns or preconfigured rules that may indicate an attack IPS (prevention) prevents attacks by taking action to block the attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-33

34. Tools Available to Achieve Site Security Figure 5.5, Page 276 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-34

35. Public Key Cryptography: A Simple Case Figure 5.6, Page 279 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-35

36. Public Key Cryptography with Digital Signatures Figure 5.7, Page 281 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-36

37. Creating a Digital Envelope Figure 5.8, Page 282 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-37

38. Digital Certificates and Certification Authorities Figure 5.9, Page 283 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-38

39. Limits to Encryption Solutions Doesn’t protect storage of private key  PKI not effective against insiders, employees  Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is secure CAs are unregulated, self-selecting organizations Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-39

40. Secure Negotiated Sessions Using SSL/TLS Figure 5.10, Page 286 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-40

41. Firewalls and Proxy Servers Figure 5.11, Page 289 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-41

42. Protecting Servers and Clients Operating system security enhancements  Upgrades, patches Anti-virus software  Easiest and least expensive way to prevent threats to system integrity  Requires daily updates Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-42

43. Management Policies, Business Procedures, and Public Laws Worldwide, companies spend more than $65 billion on security hardware, software, services Managing risk includes:  Technology  Effective management policies  Public laws and active enforcement Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-43

44. A Security Plan: Management Policies Risk assessment Security policy Implementation plan  Security organization  Access controls  Authentication procedures, including biometrics  Authorization policies, authorization management systems Security audit provides ability to audit access logs for security breaches and unauthorized use Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-44

45. Developing an E-commerce Security Plan Figure 5.12, Page 291 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-45

46. The Role of Laws and Public Policy Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals:  National Information Infrastructure Protection Act of 1996  USA Patriot Act  Homeland Security Act Private and private-public cooperation  CERT Coordination Center  US-CERT Government policies and controls on encryption software  OECD, G7/G8, Council of Europe, Wassener Arrangement Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-46

47. Types of Payment Systems Cash  Most common form of payment  Instantly convertible into other forms of value  No float Checking transfer  Second most common payment form in United States Credit card  Credit card associations (VISA, Mastercard)  Issuing banks  Processing centers are clearing houses. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-47

48. Types of Payment Systems (cont.) Stored value  Funds deposited into account, from which funds are paid out or withdrawn as needed (PayPal)  Debit cards, gift certificates  Peer-to-peer payment systems (PayPal) Accumulating balance  Accounts that accumulate expenditures and to which consumers make period payments  Utility, phone, American Express accounts Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-48

49. Payment System Stakeholders Consumers  Low-risk, low-cost, refutable, convenience, reliability Merchants  Low-risk, low-cost, irrefutable, secure, reliable Financial intermediaries  Secure, low-risk, maximizing profit Government regulators  Security, trust, protecting participants and enforcing reporting Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-49

50. E-commerce Payment Systems Credit cards  42% of online payments in 2013 (United States) Debit cards  29% online payments in 2013 (United States) Limitations of online credit card payment  Security, merchant risk  Cost  Social equity Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-50

51. How an Online Credit Transaction Works Figure 5.15, Page 302 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-51

52. Alternative Online Payment Systems Online stored value systems:  Based on value stored in a consumer’s bank, checking, or credit card account  Example: PayPal Other alternatives:  Amazon Payments  Google Checkout  Bill Me Later  WUPay, Dwolla, Stripe Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-52

53. Mobile Payment Systems Use of mobile phones as payment devices established in Europe, Japan, South Korea Near field communication (NFC)  Short-range (2”) wireless for sharing data between devices Expanding in United States  Google Wallet Mobile app designed to work with NFC chips  PayPal  Square Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-53

54. Digital Cash and Virtual Currencies Digital cash  Based on algorithm that generates unique tokens that can be used in “real” world  Example: Bitcoin Virtual currencies  Circulate within internal virtual world  Example: Linden Dollars in Second Life, Facebook Credits Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-54

55. Insight on Society: Class Discussion Bitcoin What are some of the benefits of using a digital currency? What are the risks involved to the user? What are the political and economic repercussions of a digital currency? Have you or anyone you know ever used Bitcoin? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-55

56. Electronic Billing Presentment and Payment (EBPP) Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models:  Biller-direct (dominant model)  Consolidator or 3 rd party like your bank Both models are supported by EBPP infrastructure providers Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-56

57. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice HallSlide 5-57