2. Chapter 5
E-commerce Security and Payment Systems

3. It was believed a revenge for Sony’s law suits against George Hotz.
We Are Legion
It was believed a revenge for Sony’s law suits against George Hotz.
Most common security breaches are for
Management failure to anticipate well-known risks
Unwillingness to pay on expensive security measures
Lack of training and outdated softwares

4. Most Common Security Threats (cont.)
Credit card fraud/theft
Spoofing involves attempting to hide a true identity by using someone else’s or IP address
Pharming automatically directing a web link to a fake address
Spam (junk) Web sites (link farms) promise to offer products but are just full of ads
Identity fraud/theft involves unauthorized/illegal use of another person’s data

5. Most Common Security Threats (cont.)
Denial of service (DoS) attack - Hackers flood site with useless pings or page requests to overwhelm the site’s Webserver
Involves the use of bot networks and attacks built from compromised customer computer
Distributed denial of service (DDoS) attack - uses numerous computers to launch attacks on sites or computers systems.
The attack comes from several locations
In August 2012, WikiLeaks, a site dedicated for release of classified information, was hit by DDos attack which consumed 10Gbps range and the amount of IP addresses involved was from thousands of computers

6. Most Common Security Threats (cont.)
Sniffing, a sniffer is a type of eavesdropping program that monitors information traveling over a network
Can either help to identify trouble spots of network
Or can enable hackers to steal proprietary information
Insider attacks caused by employees
Employees of Banking and E-commerce site have access to privileged information
Poorly designed server and client software leads to SQL injection attacks by taking advantage of poorly coded applications that fails to validate data entered by web users
An attacker can use this input validation error to enter to sent query to SQL database for access, setting malicious code or gain access to other systems in the network
Zero-Day vulnerability software vulnerability that is not disclosed previously, leaving software authors zero-days with which a new patch is created to mitigate it’s action. No current fix exists.

7. Most Common Security Threats (cont.)
Social network security issues
Mobile platform security issues
The first malicious iPhone app was discovered and removed from iTunes store
Vishing targets innocent cell phone users with verbal messages to call a certain number
Smishing exploits SMS/text messages that may contain links and other personal info that may be exploited
Madware is innocent looking apps containing adware that launches pop-up ads and text messages on you mobile device (mobile + adware = madware)

8. Most Common Security Threats (cont.)
Cloud security issues example, DDoS attacks threaten the availability and viability of cloud services
Due to a software bug in 2011, all users files in Dropbox were publicly available for 4 hours
To combat this issue Dropbox has introduced two-factor authentication such as a password coupled with a separately generated code.

9. Tools Available to Achieve Site Security
Figure 5.5

10. Technology Solutions Protecting Internet communications
Encryption altering plain text so that it cannot be read by anyone other than the sender & receiver
It provides security for 4 of 6 security dimensions
Integrity by ensuring the messages has not been tampered with
Nonrepudiation by preventing users from denying they sent the message
Authentication by verifying the person’s identity or computer sending the message
Confidentiality by ensuring the message was not read by others

11. Types of Encryption
Cipher where letters of the message are replaced systematically by another letter
Transposition cipher ordering the letters in some systematic way e.g., reverse order
‘Hello’ is transposed as ‘OLLEH’
Symmetric key both sender and receiver use the same secret cipher (key) to encrypt and decrypt the message. The key is sent over a secure line or exchanged in person
Data Encryption Standards (DES) was developed by IBM and NSA in 1950;
DES uses 56-bit encryption key

12. Symmetric Key Encryption
Triple DES – three times encryption, each with separate keys
Advanced Encryption Standard (AES)
Most widely used symmetric key encryption
Uses 128-, 192-, and 256-bit encryption keys
In 2013, Google announced to upgrade its SSL certificates with 2,048 bit keys

13. Public Key Encryption Uses two mathematically related digital keys
Public key (widely disseminated)
Private key (kept secret by owner)
A one-way irreversible mathematical function is used where the input cannot be derived from output
Both keys used to encrypt and decrypt message
Once key is used to encrypt message, same key cannot be used to decrypt message
Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it

14. Public Key Cryptography—A Simple Case
Figure 5.8

15. Public Key Encryption using Digital Signatures and Hash Digests
Hash function:
Mathematical algorithm that produces fixed-length number called message or hash digest
Hash digest of message sent to recipient along with message to verify integrity
Hash digest and message encrypted with recipient’s public key
Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation

16. Public Key Cryptography with Digital Signatures
Figure 5.7

17. Hashing
Possible two different hash functions generate identical hash values but extremely unlikely
For example, in Java, the hash code is a 32-bit integer.

18. Types of Encryption
Public Key there are two mathematically related keys, a public key and private key. Private key kept secretly by owner and public key disseminated to the public. Both keys are used to encrypt and decrypt the message. Once the keys are used, they can no longer be used to unencrypt the message. They are one-way irreversible functions.
Hash function creates a fixed length number that replaces the original message, then the hash is used to recreate the message on the recipient side (fig 5.7)
Digital signature is a signed cipher text sent over the internet

19. Types of Encryption
Digital envelope uses symmetric encryption for large docs
Digital certificate (DC) issues by trusted 3rd party known as certification authority that contains (the subject name, public key, digital cert serial #, exp date, issuance date and digital signature)
There are various types of certs (personal, institutional, web server, software publications, and CA’s)
Verisign, post office, Fed Reserve issue certs
Key infrastructure (PKI) when you sign into a secure site you see the “s” or the lock which means the site has a digital certificate issued by a CA

20. Technology Solutions Securing channels of communication
Secure Socket Layer; a secure negotiated session is a client server session in which the URL of the requested doc, its contents, and cookies are encrypted through a series of communication handshakes between computers. A unique symmetric encryption session key is chosen for each session
VPNs allow computers to securely communicate via tunneling by adding invisible encrypted wrappers around messages to hide their contents

21. Technology Solutions Securing channels of communication
Protecting networks
Firewalls are hard/software that filters comm packets and prevent unauthorized access
They filter traffic based on packets, IP address, type of service http, www, domain name etc
2 Ways to validate traffic
Packet filters examine whether they are destined for a prohibited port or originate from one
App gateway filters traffic based on the app being requested

22. Technology Solutions
Proxy servers are software servers that handle comm by acting as a spokesperson and body guard for the organization. To local computers, proxy servers are known as a gateway, but to external servers known as mail server. Proxy servers sit betw users and back end systems. They may be used to restrict access by employees.
Securing channels of communication
Protecting networks

23. Technology Solutions Securing channels of communication
Protecting networks
Intrusion detection systems IDS monitor traffic looking for patterns or preconfigured rules that may indicate an attack
IPS (prevention) prevents attacks by taking action to block the attack

24. Tools Available to Achieve Site Security
Figure 5.5, Page 276

25. Public Key Cryptography: A Simple Case
Figure 5.6, Page 279

26. Public Key Cryptography with Digital Signatures
Figure 5.7, Page 281

27. Creating a Digital Envelope
Figure 5.8, Page 282

28. Digital Certificates and Certification Authorities
Sends users Public key
Verifies the Key and generate message digest and signs with CA’s Public key
A unique ciphered text
Public Key Infrastructure (PKI) – an accepted procedure related to the CAs and digital certification

29. Limits to Encryption Solutions
Doesn’t protect storage of private key
PKI not effective against insiders, employees
Protection of private keys by individuals may be haphazard
In one case, VeriSign issued two digital certificates for one fraudulent claiming from Microsoft
No guarantee that verifying computer of merchant is secure
CAs are unregulated, self-selecting organizations

30. Secure Negotiated Sessions Using SSL/TLS
Websites changes from http to https for sessions using SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols.

31. Protecting Communication Using SSL/TLS
SSL services includes
Data encryption
Server authentication
Client authentication
Message integrity
SSL/TLS cannot provide irrefutability
For instance, even though SSL/TLS is used in Facebook and Twitter, using Firesheep add-on of Firefox, hackers can collect user information from unencrypted cookies and revisit the Website immediately.

32. VPN and Wireless Networks
Virtual Private Networks (VPNs)
Secure remote log on to corporate LAN via Internet
Establishes an inexpensive and secure line between business partners
Uses authentication and encryption for security
The process of connecting one protocol through another (IP) is called tunneling
Wireless (Wi-Fi) Networks
Encryption uses AES (Advanced Encryption Standard) algorithm for Wi-Fi protected access (WPA2) standards

33. Firewalls and Proxy Servers
Hardware/software filters to check IP addresses, ports, services or domain names
Safeguards the communication
Proxy servers are also known as dual-home systems ( a gateway to internal and mail server to externals).

34. Protecting Servers and Clients
Operating system security enhancements
Upgrades, patches
Anti-virus software
Easiest and least expensive way to prevent threats to system integrity
Requires daily updates

35. Management Policies, Business Procedures, and Public Laws
Worldwide, companies spend more than $65 billion on security hardware, software, services
Managing risk includes:
Technology
Effective management policies
Public laws and active enforcement

36. A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan
Security organization
Access controls
Authentication procedures, including biometrics (e.g., Touch ID in iPhone 5S for purchases from iTunes, iBooks)
Authorization policies, authorization management systems
Security audit provides ability to audit access logs for security breaches and unauthorized use

37. 5-Steps Involved in Developing an E-commerce Security Plan
Figure 5.12, Page 291

38. 5 Types of Payment Systems
Cash
Most common form of payment
Instantly convertible into other forms of value
No float (the period of time between purchase and actual payment), no transaction processing fee
Neither require special hardware or an existing account
Checking transfer
Second most common payment form in United States
Credit card
Issuing banks, Credit card associations (VISA, Mastercard)
Processing centers are clearing houses.

39. Types of Payment Systems (cont.)
Stored value
Funds deposited into account, from which funds are paid out or withdrawn as needed (PayPal)
Debit cards, gift cards
Peer-to-peer payment systems (PayPal)
Accumulating balance
Accounts that accumulate expenditures and to which consumers make periodic payments
Utility, phone, American Express accounts

40. Payment System Stakeholders
Consumers
Interested in low-risk, low-cost, refutable (able to repudiated or denied), convenience, reliability
Merchants
Low-risk, low-cost, irrefutable, secure, reliable
Financial intermediaries
Intermediary for secure, low-risks while maximizing profit
Government regulators
Security, trust, protecting participants and enforcing reporting (Regulation E place more risk for ATM cards in US)

41. E-commerce Payment Systems
Credit cards
Expected to grow to $640 billion of online payments by 2017 in United States
Debit cards
29% online payments in 2013 (United States)
Limitations of online credit card payment
Security, merchant risk
Cost
Social equity (not always affordable for all due to low income and credit risk)

42. How an Online Credit Transaction Works
Figure 5.15, Page 302

43. Alternative Online Payment Systems
Online stored value systems:
Based on value stored in a consumer’s bank, checking, or credit card account
Example: PayPal
Other alternatives:
Amazon Payments (trusting unfamiliar retailers)
Google Checkout (single sign-in for online stores)
Bill Me Later (users avoiding credit information)
WUPay, Dwolla, Stripe

44. Mobile Payment Systems
Use of mobile phones as payment devices established in Europe, Japan, South Korea
Near field communication (NFC)
Short-range (2”) wireless for sharing data between devices. A connection requires one powered unit and other unpowered target to respond.
Expanding in United States
Google Wallet
Mobile app designed to work with NFC chips
PayPal
Square

45. Digital Cash and Virtual Currencies
Based on algorithm that generates unique tokens that can be used in “real” world
Example: Bitcoin (encrypted numbers tied to the open market and generated by a computer algorithm using a peer-to-peer network)
Requires only 34-character alphanumeric number
Virtual currencies
Circulate within internal virtual world
Example: Linden Dollars in Second Life, Facebook Credits for purchasing virtual goods

46. Bitcoin What are some of the benefits of using a digital currency?
What are the risks involved to the user?
What are the political and economic repercussions of a digital currency?
Have you or anyone you know ever used Bitcoin?

47. Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills
50% of all bill payments
Two competing EBPP business models:
Biller-direct (dominant model)
Consolidator or 3rd party like your bank
Both models are supported by EBPP infrastructure providers