1. Chapter 19 Protecting E-Commerce systems

2. Is IT different? There is some discussion that IT today is no different than past enabling technologies Telegraph Electricity Rail TV Is IT becoming a commodity item?

3. Credit Cards Used for payment on the net In 70’s Mail Order Telephone Order (MOTO) Retailer did not have card for inspection Used expiration date as “password” Delivery to card holders address Liability fully on the merchant

4. Forgery Skimming Passing card through other device to capture data Can catch by looking at where card used Skimming II Do not bill for merchandise, save data use year later, no record of card being used at crooked merchant

5. Fraud detection Anomaly detection Travel patterns Patterns of misuse Profiling Bonuses for spotting fraud Online more difficult Based on where transaction originated from

6. Online Credit Card Fraud SSL makes you “feel” better Most credit card theft not “in transit” Visa guide http://usa.visa.com/download/business/accepting_visa/ops_risk_management/visa_risk_management_guide_ecommerce.pdf?it=search One-time virtual card numbers http://www.citibank.com/us/cards/tour/cb/shp_van.htm

7. E-commerce site risks Fraud ➔ ◆ Customer uses a stolen card or account number to fraudulently purchase goods/services online. ◆ Family member uses bankcard to order goods/services online, but has not been authorized to do so. ◆ Customer falsely claims that he or she did not receive a shipment. ◆ Hackers find their way into an e-commerce merchant’s payment processing system and then issue credits to hacker card account numbers.

8. E-commerce site risks Account Information ➔ ◆ Hackers capture customer account data during transmission Theft (Cyber-Thieves) to/from merchant. ◆ Hackers gain access to service provider’s unprotected payment processing systems and steal cardholder account data.

9. E-commerce site risks Account Information ➔ ◆ Unauthorized individual accesses and steals cardholder Theft (Physical Site) data stored at merchant or service provider site and fraudulently uses or sells it for unauthorized use or identity theft purposes. ◆ Unscrupulous merchant or service provider employee steals cardholder data and fraudulently uses or sells it for unauthorized use or identity theft purposes. ◆ Dumpster-divers steal unshredded account information from trash bins at merchant or service provider location.

10. E-commerce site risks Customer Disputes and Charge backs ➔ ◆ Goods or services are not as described on the Website. ◆ Customer is billed before goods/services are shipped or delivered. ◆ Confusion and disagreement between customer and merchant over return and refund. ◆ Customer is billed twice for the same order and/or billed for an incorrect amount. ◆ Customer doesn’t recognize the merchant name on statement because merchant uses a service provider to handle billing.

11. Proper site design Credit card number only “exists” for a short period of time in an accessible location. Use of data pumps can assure it doesn’t move out to accessible location. http://www.securius.com/newsletters/Learn_to_Forget.html http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Industry_Letter_to_Merchants.pdf http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

12. B2B systems EDI Commercial Lack of legal documents Healthcare confidentiality

13. New techniques Hard to introduce For instance new payment method Merchants need equipment Customers must generate demand VHS verses Beta format Study of this in Metaverse (adopters)

14. IT Markets Technology high fixed cost, low marginal cost High costs to switch technologies leading to lock-in Value of product depends on how many adopt it.

15. Other issues Pricing Free limited version, basic service, gold premium version Free ups number using it, others make money Switching cost Monthly charges match hassle of changing Trying to achieve monopolies Microsoft passport XML makes comparison shopping BOTs easier to write Special offers, errors spread rapidly

16. Specific Vulnerabilities Web SQL Injection (covered) XSS (Cross Site Scripting) Not really cross site Exploits of holes in site Similar in concept to SQL injection, but inserts malicious code in variables http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://ha.ckers.org/xss.html

17. Articles SSL article Microsoft Passport from business perspective

18. Previous articles Firewall http://en.wikipedia.org/wiki/Firewall_%28net working%29 http://en.wikipedia.org/wiki/Firewall_%28net working%29 http://www.firewall- software.com/firewall_faqs/types_of_firewall.html http://www.firewall- software.com/firewall_faqs/types_of_firewall.html http://www.vicomsoft.com/knowledge/pdfs/fi rewall_qa.pdf http://www.vicomsoft.com/knowledge/pdfs/fi rewall_qa.pdf

19. Previous articles Passport http://blogs.zdnet.com/Bott/?p=30 Business “looks” http://www.ciphertrust.com/resources/article s/articles/roi_4_intrusion.php http://www.ciphertrust.com/resources/article s/articles/roi_4_intrusion.php http://news.com.com/Insecure+networks+co uld+lead+to+lawsuits/2009-1033_3- 940460.html http://news.com.com/Insecure+networks+co uld+lead+to+lawsuits/2009-1033_3- 940460.html

20. List of resources Credit card fraud http://en.wikipedia.org/wiki/Credit_card_frau d http://en.wikipedia.org/wiki/Credit_card_frau d MOTO http://www.e-com.sbdc.com.au/e- trade/four/4.htm http://www.e-com.sbdc.com.au/e- trade/four/4.htm http://usa.visa.com/download/business/acce pting_visa/ops_risk_management/visa_risk_ management_guide_ecommerce.pdf?it=sea rch http://usa.visa.com/download/business/acce pting_visa/ops_risk_management/visa_risk_ management_guide_ecommerce.pdf?it=sea rch

21. List or Resources Prevention http://www.citibank.com/us/cards/tour/cb/sh p_van.htm http://www.citibank.com/us/cards/tour/cb/sh p_van.htm Fuzz testing http://en.wikipedia.org/wiki/Fuzz_testing