Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Published byUtami Kartawijaya Modified over 5 years ago

Similar presentations

Presentation on theme: "Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall"— Presentation transcript:

1 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

2 Chapter 5 E-commerce Security and Payment Systems
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

3 Cyberwar: MAD 2.0 What is the difference between hacking and cyberwar?
Why has cyberwar become more potentially devastating in the past decade? Why has Google been the target of so many cyberattacks? Is it possible to find a political solution to MAD 2.0? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

4 The E-commerce Security Environment
Figure 5.1, Page 252 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

5 Dimensions of E-commerce Security
Integrity ensures that info sent and received has not been altered by unauthorized party Nonrepudiation ability to ensure that participants do not deny (repudiate) their online actions Authenticity ability to identify the person’s identity with whom you are dealing with over the internet Confidentiality authorized to be seen by those who should view it Privacy ability to control who sees your info Availability e-commerce site functions as intended Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

6 Table 5.3, Page 254 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

7 The Tension Between Security and Other Values
Ease of use The more security measures added, the more difficult a site is to use, and the slower it becomes Security costs money and too much of it can reduce profitability Public safety and criminal uses of the Internet Use of technology by criminals to plan crimes or threaten nation-state Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

8 Security Threats in E-commerce Environment
Three key points of vulnerability in e-commerce environment: Client Server Communications pipeline (Internet communications channels) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

9 A Typical E-commerce Transaction
Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

10 Vulnerable Points in an E-commerce Transaction
Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

11 Most Common Security Threats in the E-commerce Environment
Malicious code (malware, exploits) Drive-by downloads malware that comes with a downloaded file the user intentionally or unintentionally request Viruses Worms spread from computer to comp without human intervention Ransomware (scareware) used to solicit money from users by locking up your browser or files and displaying fake notices from FBI or IRS etc Trojan horses appear benign but is a way to introduce viruses into a computer system Threats at both client and server levels

12 Most Common Security Threats in the E-commerce Environment
Malicious code (malware, exploits) Backdoors introduce viruses, worms, etc. that allow an attacker to remotely access a computer Botnets are a collection of captured bot computers or zombies used to send spam, DDoS attacks, steal information from computers, and store network traffic for later analysis. Bots, as in robots, are malicious code that can be covertly installed on a computer when connected to the internet. Once installed, they respond to external commands from the attacker Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

13 Most Common Security Threats (cont.)
Potentially unwanted programs (PUPs) Example Vista antispyware 2013 infects computers running Vista Browser parasites changes your computer settings Adware displays calls for pop-up ads when you visit sites Spyware may be used to obtain information such as keystrokes, , IM etc. Phishing Social engineering relies on human curiosity, greed, and gullibility to trick users into taking action that results into downloading malware scams Spear-phishing spear phishing messages appear to come from a trusted source Identity fraud/theft Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

14 Most Common Security Threats (cont.)
Hacking Hackers gain unauthorized access White hat role is to help identify and fix vulnerabilities Black hat intent on causing hard Grey hat breaks in to expose flaws and report them without disrupting the company. They may even try to profit from the event Crackers have criminal intent Hacktivist are politically motivated (Green Peace) Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

15 Most Common Security Threats (cont.)
Cybervandalism: Disrupting, defacing, destroying Web site Data breach Losing control over corporate information to outsiders Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

16 Are there any positive social benefits of hacktivism?
We Are Legion What organization and technical failures led to the data breach on the PlayStation Network? Are there any positive social benefits of hacktivism? Have you or anyone you know experienced data breaches or cybervandalism? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

17 Most Common Security Threats (cont.)
Credit card fraud/theft Spoofing involves attempting to hide a true identity by using someone else’s or IP address Pharming automatically directing a web link to a fake address Spam (junk) Web sites (link farms) promise to offer products but are just full of ads Identity fraud/theft involves unauthorized/illegal use of another person’s data Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

18 Most Common Security Threats (cont.)
Denial of service (DoS) attack Hackers flood site with useless traffic to overwhelm network Distributed denial of service (DDoS) attack uses numerous computers to launch attacks on sites or computers systems. The attack comes from several locations Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

19 Most Common Security Threats (cont.)
Sniffing, a sniffer is a type of eavesdropping program that monitors information traveling over a network Insider attacks caused by employees Poorly designed server and client software leads to SQL injection attacks by taking advantage of poorly coded applications that fails to validate data entered by web users Zero-Day vulnerability software vulnerability that is reported or unreported but no current fix exists Social network security issues like forgetting to log out, connecting with strangers, exposing too much information Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

20 Most Common Security Threats (cont.)
Mobile platform security issues Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice , VoIP (voice over IP), or landline or cellular telephone. Smishing exploits SMS/text messages that may contain links and other personal info that may be exploited Madware is innocent looking apps containing adware that launches pop-up ads and text messages on you mobile device (mobile + adware = madware) Cloud security issues example, DDoS attacks threaten the availability and viability of cloud services Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

21 Think Your Smartphone Is Secure?
What types of threats do smartphones face? Are there any particular vulnerabilities to this type of device? Are apps more or less likely to be subject to threats than traditional PC software programs? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

22 Technology Solutions Protecting Internet communications
Encryption altering plain text so that it cannot be read by anyone other than the sender & receiver It provides security for 4 of 6 security dimensions Integrity by ensuring the messages has not been tampered with Nonrepudiation by preventing users from denying they sent the message Authentication by verifying the person’s identity or computer sending the message Confidentiality by ensuring the message was not read by others Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

23 Types of Encryption Cipher is disguised way of writing; a code where letters of the message are replaced systematically by another letter Transportation cipher ordering the letters in some systematic way e.g., reverse order, or 2 letters ahead Symmetric key both sender and receiver use the same key to encrypt and decrypt the message. The key is sent over a secure line or exchanged in person Data Encryption Stds developed by IBM and NSA; now we have 128, 192, and 256 bit encryption Google coming out with 2048 bit keys Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

24 Symmetric Key Encryption
Sender and receiver use same digital key to encrypt and decrypt message Requires sophisticated mechanisms to securely distribute the secret-key to both parties Requires different set of keys for each transaction Strength of encryption Length of binary key used to encrypt data Data Encryption Standard (DES) Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128, 192, and 256-bit encryption keys Other standards use keys with up to 2,048 bits Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

25 Common ways of Sending of Keys
The establishment of symmetric keys can be performed in several ways: Authenticated Key Agreement (KA) is the ability to construct a key, agree on it, and then validate it. Sending of an (authenticated) encrypted key, also known as key wrapping Derivation from a base key using a Key Derivation Function (KDF), using other data as input, for instance a unique number. If derivation is used for multiple devices it is often called key diversification. Ways to send or exchange keys, by a previous telephone call sending a letter meeting in a pub (handing over a USB stick or other data carrier) Creating a key from key parts held by different persons Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

26 Public Key Encryption using Digital Signatures and Hash Digests
Hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. The output is often shorter than the input. Hash digest of message is sent to recipient along with a message to verify integrity Hash digest and message encrypted with recipient’s public key Example of hash algorithm: Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

27 Public Key Encryption using Digital Signatures and Hash Digests
Entire cipher text is then encrypted with recipient’s private key — creating digital signature — for authenticity, nonrepudiation digital signature is a type of electronic signature that encrypts documents with digital codes that are particularly difficult to duplicate Example of WEP generator: Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

28 Hashing Possible two different hash functions generate identical hash values but extremely unlikely For example, in Java, the hash code is a 32-bit integer. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

29 Types of Encryption Public Key there are two mathematically related keys, a public key and private key. Private key kept secretly by owner and public key disseminated to the public. Both keys are used to encrypt and decrypt the message. Once the keys are used, they can no longer be used to unencrypt the message. They are one-way irreversible functions. Hash function creates a fixed length number that replaces the original message, then the hash is used to recreate the message on the recipient side (fig 5.7) Digital signature is a signed cipher text sent over the internet Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

30 Types of Encryption Digital envelope uses symmetric encryption for large docs Digital certificate (DC) issues by trusted 3rd party known as certification authority that contains (the subject name, public key, digital cert serial #, exp date, issuance date and digital signature) There are various types of certs (personal, institutional, web server, software publ, and Certificate Authority (CA)) Verisign, post office, Fed Reserve issue certs Key infrastructure (PKI) when you sign into a secure site you see the “s” or the lock which means the site has a digital certificate issued by a CA Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

31 Technology Solutions Securing channels of communication
Secure Socket Layer; a secure negotiated session is a client server session in which the URL of the requested doc, its contents, and cookies are encrypted through a series of communication handshakes between computers. A unique symmetric encryption session key is chosen for each session VPNs allow computers to securely communicate via tunneling by adding invisible encrypted wrappers around messages to hide their contents

32 Technology Solutions Securing channels of communication
Protecting networks Firewalls are hard/software that filters comm packets and prevent unauthorized access They filter traffic based on packets, IP address, type of service http, www, domain name etc 2 Ways to validate traffic Packet filters examine whether they are destined for a prohibited port or originate from one App gateway filters traffic based on the app being requested Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

33 Technology Solutions Proxy servers are software servers that handle comm by acting as a spokesperson and body guard for the organization. To local computers, proxy servers are known as a gateway, but to external servers known as mail server. Proxy servers sit betw users and back end systems. They may be used to restrict access by employees. Securing channels of communication Protecting networks

34 Technology Solutions Securing channels of communication
Protecting networks Intrusion detection systems IDS monitor traffic looking for patterns or preconfigured rules that may indicate an attack IPS (prevention) prevents attacks by taking action to block the attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

35 Tools Available to Achieve Site Security
Figure 5.5, Page 276 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

36 Public Key Cryptography: A Simple Case
Figure 5.6, Page 279 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

37 Public Key Cryptography with Digital Signatures
Figure 5.7, Page 281 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

38 Creating a Digital Envelope
Figure 5.8, Page 282 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

39 Digital Certificates and Certification Authorities
Figure 5.9, Page 283 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

40 Limits to Encryption Solutions
Doesn’t protect storage of private key PKI not effective against insiders, employees Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is secure CAs are unregulated, self-selecting organizations Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

41 Secure Negotiated Sessions Using SSL/TLS
Figure 5.10, Page 286 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

42 Firewalls and Proxy Servers
Figure 5.11, Page 289 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

43 Protecting Servers and Clients
Operating system security enhancements Upgrades, patches Anti-virus software Easiest and least expensive way to prevent threats to system integrity Requires daily updates Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

44 Management Policies, Business Procedures, and Public Laws
Worldwide, companies spend more than $65 billion on security hardware, software, services Managing risk includes: Technology Effective management policies Public laws and active enforcement Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

45 A Security Plan: Management Policies
Risk assessment Security policy Implementation plan Security organization Access controls Authentication procedures, including biometrics Authorization policies, authorization management systems Security audit provides ability to audit access logs for security breaches and unauthorized use Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

46 Developing an E-commerce Security Plan
Figure 5.12, Page 291 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

47 The Role of Laws and Public Policy
Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals: National Information Infrastructure Protection Act of 1996 USA Patriot Act Homeland Security Act Private and private-public cooperation Community Emergency Response Team (CERT) Coordination Center US-Computer Emergency Response Team (US-CERT) Government policies and controls on encryption software OECD, G7/G8, Council of Europe, Wassener Arrangement Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

48 Types of Payment Systems
Cash Most common form of payment Instantly convertible into other forms of value No float Checking transfer Second most common payment form in United States Credit card Credit card associations (VISA, Mastercard) Issuing banks Processing centers are clearing houses. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

49 Types of Payment Systems (cont.)
Stored value Funds deposited into account, from which funds are paid out or withdrawn as needed (PayPal) Debit cards, gift certificates Peer-to-peer payment systems (PayPal) Accumulating balance Accounts that accumulate expenditures and to which consumers make period payments Utility, phone, American Express accounts Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

50 Payment System Stakeholders
Consumers Low-risk, low-cost, refutable, convenience, reliability Merchants Low-risk, low-cost, irrefutable, secure, reliable Financial intermediaries Secure, low-risk, maximizing profit Government regulators Security, trust, protecting participants and enforcing reporting Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

51 E-commerce Payment Systems
Credit cards 42% of online payments in 2013 (United States) Debit cards 29% online payments in 2013 (United States) Limitations of online credit card payment Security, merchant risk Cost Social equity Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

52 How an Online Credit Transaction Works
Figure 5.15, Page 302 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

53 Alternative Online Payment Systems
Online stored value systems: Based on value stored in a consumer’s bank, checking, or credit card account Example: PayPal Other alternatives: Amazon Payments Google Checkout Bill Me Later WUPay, Dwolla, Stripe Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

54 Mobile Payment Systems
Use of mobile phones as payment devices established in Europe, Japan, South Korea Near field communication (NFC) Short-range (2”) wireless for sharing data between devices Expanding in United States Google Wallet Mobile app designed to work with NFC chips PayPal Square Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

55 Digital Cash and Virtual Currencies
Based on algorithm that generates unique tokens that can be used in “real” world Example: Bitcoin Virtual currencies Circulate within internal virtual world Example: Linden Dollars in the virtual world called Second Life, Facebook Credits Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

56 Bitcoin What are some of the benefits of using a digital currency?
What are the risks involved to the user? What are the political and economic repercussions of a digital currency? Have you or anyone you know ever used Bitcoin? Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

57 Electronic Billing Presentment and Payment (EBPP)
Online payment systems for monthly bills 50% of all bill payments Two competing EBPP business models: Biller-direct (dominant model) Consolidator or 3rd party like your bank Both models are supported by EBPP infrastructure providers Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

58 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Download ppt "Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall"

Similar presentations

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Copyright © 2013 Pearson Education, Inc.

Copyright © 2013 Pearson Education, Inc.
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.
E-commerce: business. technology. society.

E-commerce: business. technology. society.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Chapter 5 Security and Encryption

Chapter 5 Security and Encryption
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.
Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Chapter 5 E-commerce Security and Payment Systems.

Chapter 5 E-commerce Security and Payment Systems.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Copyright © 2012 Pearson Education, Inc.

Copyright © 2012 Pearson Education, Inc.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Securing Information Systems

Securing Information Systems
Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Similar presentations

Ads by Google