lesson 05 e-commerce security and payments · the process of transforming plain text or data into...

Lesson 05

E-commerce Security and Payments

ISM 41113, Electronic Commerce

By:

S. Sabraz Nawaz

Senior Lecturer in MIT

Department of MIT

Faculty of Management and Commerce, SEUSL

ANTHEM DATA BREACH

• 7Anthem Insurance Inc. was a victim of a massive cyber attack in February 2015. Back in February, Cyber attackers executed a very sophisticated attack to gain unauthorized access to the company’s IT systems that had database of some 80 million people and obtained personal identifiable information relating to its consumers and employees.

• The information accessed included:

• Names,

• Birthdays,

• Social security numbers,

• Email addresses

• Employment information, including income data

• The hackers gained access to Anthem's data by stealing the network credentials of at least five of its employees with high-level IT access.

• The path may have been "Phishing", in which a fraudulent e-mail could have been used to trick employees into revealing their network ID and password, or into unknowingly downloading software code that gives the hackers long-term access to Anthem’s IT environment.

• The company informed millions of its affected customers of the massive data breach that potentially exposed the personal information of its former as well as current customers.

• Anthem appointed Mandiant, world’s leading cyber security organization, to evaluate the scenario and provide necessary solutions.

ISM 41113: E-Commerce, By S. Sabraz NawazSlide 5-

2

INTERNET SECURITY

• No single “magic bullet” solution exists for Internet security any more than for general societal security. With respect to payment systems, the key point is that the Web has not created completely new methods of payment, although it has changed how methods of payment are implemented.

• Web consumers predominantly use credit cards for purchases, and efforts to prevent consumers away from their credit cards have generally failed.

• The primary exception to this is PayPal, which still relies on the stored value provided by credit cards or checking accounts.


3

INTERNET SECURITY

• For law-abiding citizens, the Internet holds the promise of a huge and convenient global marketplace, providing access to people, goods, services, and businesses world-wide, all at a bargain price

• For criminals, the Internet has created entirely new- and lucrative ways to steal from the more than 01 billion Internet consumers

ISM 41113 : E-Commerce, By S. Sabraz NawazSlide 5-

4

THE E-COMMERCE SECURITY ENVIRONMENT

• To achieve the highest degree of security possible, new technologies are available and should be used. But these technologies by themselves do not solve the problem

• Organizational policies and procedures are required to ensure the technologies are not undermined.

• Industry standards and government laws are required to enforce payment mechanisms, as well as to investigate and prosecute violators of laws.

ISM 41113 : E-Commerce, By S. Sabraz Nawaz

Slide

5-5

DIFFERENT DIMENSIONS OF E-COMMERCE SECURITY

• Integrity: the ability to ensure that information being displayed on a Web site or transmitted or received over the Internet has not been altered in any way by an unauthorized party

• Nonrepudiation: the ability to ensure that e-commerce participants do not deny their online action

• Authenticity: the ability to identify the identity of a person or entity with whom you are dealing on the Internet

• Confidentiality: the ability to ensure that messages and data are available only to those who are authorized to view them

• Privacy: the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant

• Availability: the ability to ensure that an e-commerce site continues to function as intended.

ISM 41113 : E-Commerce, By S. Sabraz NawazSlide 5-

6

Dimensions of E-Commerce Security

Slide 5-7

Security Threats in the E-commerce Environment

• From technology perspective, three key points of vulnerability in e-commerce environment when dealing with e-commerce: Client, Server and Internet communications channels.

ISM 41113 : E-Commerce, By S. Sabraz Nawaz 8

A Typical E-commerce Transaction

Vulnerable Points in an E-commerce Transaction

ISM 41113 : E-Commerce, By S. Sabraz Nawaz 97/18/2016

MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT

• Most common and most damaging forms of security threats to e-commerce consumers and site operators are:

• Malicious code (malware)

• Potentially unwanted programs

• Phishing and identity theft

• Hacking and cyber-vandalism

• Credit card fraud / theft

• Spoofing (pharming) and spam (junk) Web sites

• Denial of Service (DoS)

• Sniffing

• Insider attacks, poorly designed server and client software

• Social networking issues

• Mobile platform security issues

• Cloud security issues


10


• MALICIOUS CODE (malware): the term used to describe any code in any part of a software system that is intended to cause undesired effects, security breaches or damage to a system.

• Drive-by downloads: Malware that comes with a downloaded file that a user requests.

• Viruses: A computer virus is a malware program that, when executed, replicates by inserting copies of itself into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected".

• Worms: A computer worm is a standalone malware program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.

• Trojan Horse

• Appears to be harmless, but then does something other than expected. It is not itself a virus because it does not replicate, but is often a way for viruses.

• Bots (short for Robots): A type of malicious code that can be covertly installed on computers when attached to the Internet. When installed, the bot responds to external commands sent by the attacker; the computer can be controlled by third party.


11


• POTENTIALLY UNWANTED PROGRAMS: programs that installs itself ona computer, typically without the user’s informed consent. Theseprograms are increasingly found on social networking sites and user-generated content sites where users are fooled into downloading them.

• Adware: Typically used to call for pop-up ads to display when the uservisits certain sites; while annoying , adware is not typically used forcriminal activities

• Browser Parasite: Program that can monitor and change the settingsof a user’s browser, for example, changing browser’s homepage orsending information about the sites visited to a remote computer

• Spyware: Program used to obtain information such as a user’skeystrokes, e-mail, instant messages, screenshots and so on.



• PHISHING is the act of sending an e-mail to a user falsely claiming to be a legitimateenterprise in an attempt to cheat the user into surrendering private information thatwill be used for identity theft.

• IDENTITY THEFT is the fraudulent practice of using another person's name andpersonal information in order to obtain credit, loans, etc.

• Social Engineering: Relies on human curiosity as well as greed in order to trick peopleinto taking an action that will result in the downloading of malware.

• Phishing attacks do not involve malicious code but instead rely on straightforwardmisrepresentation and fraud, so-called social engineering techniques.

• Most popular is the e-mail scam (fraudulent in computing) letter.

• Some pretending to be eBay, PayPal or others writing to you for “accountverification”

• Click on a link in the e-mail will take you to a website controlled by the scammerand where you enter your confidential details such as account number and PINcodes, etc.


• HACKING is gaining unauthorized access to data in a system orcomputer and CYBER-VANDALISM is intentionally disrupting,defacing or even destroying a site.

• Hacker: individual who intends to gain unauthorized access toa computer system.

• White hats are good hackers who help organizations locateand fix security flaws, they do their work with agreementfrom clients.

• Black hats are hackers who act with the intention ofcausing harm.

• Grey hats discover weaknesses in a system’s security andthen publish the weakness without disrupting the site;their only reward is the prestige of discovering weakness.


MOST COMMON SECURITY THREATS IN THE

E-COMMERCE ENVIRONMENT

• CREDIT CARD THEFT. Is one of the most feared occurrences on the Internet.Fear that credit card information will be stolen prevents users from makingonline purchases.

• SPOOFING (PHARMING) AND SPAM (JUNK) WEB SITES. Spoofing ismisrepresenting oneself by using fake e-mail addresses or masquerading(pretend) as someone else. Spam web sites promise to offer some product orservice but in fact are a collection of advertisements for other sites, some ofwhich contain malicious code. These web sites appear in search results andcloak their identities by using domain names similar to legitimate firm names.

• DENIAL OF SERVICE (DoS) ATTACK: Flooding a web site with useless trafficto drown and overwhelm the network. DoS attacks typically cause a web siteto shut down, making it impossible for other users to access the site.




• SNIFFING: Sniffer is a type of eavesdropping program that monitors informationtraveling over a network.

• INSIDER ATTACKS: Largest financial threats to business institutions come not fromrobberies but from misappropriation of funds by insiders.

• POORLY DESIGNED SERVER AND CLIENT SOFTWARE: Many security threats preyon poorly designed server and client software, sometimes in the operating system andsometimes in the application software including browsers.

• SOCIAL NETWORK SECURITY ISSUES: Social network sites like Facebook, Twitter,and LinkedIn provide a rich and rewarding environment for hackers. Viruses, identitytheft, phishing, etc. are all found on social networks.

• MOBILE PLATFORM SECURITY ISSUES: Mobile users are filling their devices withpersonal and financial information making them excellent targets for hackers.

• CLOUD SECURITY ISSUES: the move of so many Internet services into the cloud alsoraises security risks. Safeguarding data being maintained in a cloud environment is alsoa major concern.




TECHNOLOGY SOLUTIONS


TECHNOLOGY SOLUTIONS

• A great deal of progress has been made by private security firms, corporate and home users, network administrators, technology firms, and government agencies.


18

PROTECTING INTERNET COMMUNICATIONS

ENCRYPTION:

• The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver.

• The purpose of encryption is a) to secure stored information and b) to secure information transmission.

• Encryption can provide four of the six key dimensions of e-commerce security

• Message integrity: provides assurance that the message has not been altered

• Nonrepudiation: prevents the user from denying he or she sent the message

• Authentication: provides verification of the identity of the person (or computer) sending the message

• Confidentiality: gives assurance that the message was not read by others

ISM 41113: E-Commerce, By S. Sabraz Nawaz 19


ENCRYPTION…

• The transformation of plain text into cipher text is accomplished by using a key or cipher.

• A key or cipher is any method for transforming plain text into cipher text

• Ancient Egyptian commercial records were encrypted using substitution and transposition ciphers.

• Substitution cipher: every occurrence of a given letter is replaced systematically by another letter

• Transposition cipher: the ordering of the letters in each word is changed in some systematic way



SYMMETRIC KEY ENCRYPTION:

• In order to decipher the messages, the receiver would have to know the secret cipher (key) that was used to encrypt the plain text.

• Both the sender and the receiver use the same key to encrypt and decrypt the message. This is also called as secret key encryption.

• Sender and receiver have to have the same key; they need to send the key over some communication media or exchange in person.

• Common flaws:

• Computers today can break this encryption quickly

• Both parties have to share the same key and key may be sent via insecure medium



PUBLIC KEY ENCRYPTION

• This solves the problem of exchanging keys.

• Two mathematically related digital keys are used: a public key and a private key.

• The private key is kept secret by the owner, and the public key is widely disseminated.

• E.g.: When Mr. A wants to send a secure message to Mr.B, he uses B's public key to encrypt the message. Mr.B then uses his private key to decrypt it.

• Once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message.

• The mathematical algorithms used to produce the keys are one-way irreversible mathematical functions; according to this, once the algorithm is applied, the input cannot be subsequently derived from the output.


Public Key cryptography – a simple case



DIGITAL ENVELOPES:

• If one uses 128 or 256 bit keys to encode large documents the public key encryption becomes computationally slow and more time will be needed to process.

• Symmetric key encryption is computationally faster but has weakness; key must be sent over insecure medium.

• Solutions is – Digital Envelope: a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key. So we will have a key within a key (digital envelope).

• Eg: an encrypted report and digital envelope are sent across the web. The recipient first uses his/her private key to decrypt the symmetric key and uses that key to decrypt the report.



Public Key cryptography – Creating digital envelope


DIGITAL CERTIFICATES:

• A solution to address misrepresentation in online. How do we know that people or institution are who they claim to be?

• Before you place an order on Amazon, you want to be sure that it is really Amazon.com you have on the computer screen, and not a spoofermisrepresenting as Amazon.

• Digital certificates solve this problem of digital identity. It is a digital document issued by a trusted third-party institution known as certification authority (CA) such as VerisSign.

• Public key infrastructure (PKI) refers to the CAs and digital certificate procedures accepted by all parties.


SECURING CHANNELS OF COMMUNICATION

SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY:

• The most common form of securing channels is through SSL and TLS protocols.

• When you communicate with a web server through secure channel, it means you are using SSL/TLS to establish secure session.

• Secure Session is a client-server session in which the URL of the requested document and contents are encrypted.

• You can notice that the HTTP changes to HTTPS.

ISM 41113: E-Commerce, By S. Sabraz Nawaz

27

SECURING CHANNELS OF COMMUNICATION

VIRTUAL PRIVATE NETWORKS (VPN):

• VPN is a network that is constructed by using public wires — usually the Internet — to connect to a private network, such as a company's internal network.

• This allows remote users to securely access internal networks via the Internet, using the Point-to-Point Tunneling Protocol (PPTP).

• VPNs use both authentication and encryption to secure information from unauthorized persons.

• Authentication prevents spoofing and misrepresentation of identities.


PROTECTING NETWORKS

• FIREWALLS: refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy.

• PROXY SERVERS: Software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization.


Firewall & Proxy Server


PROTECTING SERVERS AND CLIENTS

• OPERATING SYSTEMS SECURITY ENHANCEMENTS: Windows/Apple computers’ security upgrades, password protection etc.

• ANTI-VIRUS SOFTWARE


Payment Systems


Generic Types of Payment Systems

CASH:

• Is the legal tender defined by national authority to represent value and is the most common form of payment in terms of number of transactions.

• It is instantly convertible into other forms of value without intermediation of any other institution.

• It is portable, no authentication required and provides instant purchasing power for those who posses it.

• Micropayments are allowed.

• No transaction fee for using it.

• Anonymous and difficult to trace



CHECKING TRANSFER:

• Represents funds transferred directly via a single draft or check from a consumer’s checking account to a merchant or other individual.

• Second most common form of payment in terms of transactions

• Can be used for small and large transactions

• Not anonymous and requires third party institution to work.

• Can be forged easily than cash; so authentication required.

• They can be cancelled before being cleared in bank.



CREDIT CARD:

• Represents an account that extends credit to consumers, permits consumers to purchase items while differing payment, and allows them to make payment to multiple vendors with one instrument.

• Credit card associations such as Visa and MasterCard are non profit associations that set standards for the issuing bank that actually issues the card and processes transactions.

• Processing centres or clearinghouses handle verification of accounts and balances.

• Issuing banks are the financial intermediaries.

• Consumers can repudiate the purchases under certain circumstances.



STORED VALUE:

• Accounts created by depositing funds into an account and from which funds re paid out or withdrawn as needed are stored value payment systems.

• Similar to checking account but no checks are written.

• E.g.: debit cards, prepaid cards.

• Debit cards immediately debits a checking or other demand deposit account.

• P2P payment systems such as PayPal are variations on the stored value concept.



ACCUMULATING BALANCE:

• Accounts that accumulate expenditures and to which consumers make periodic payments are accumulating balance payment systems.

• E.g.: utilities such as water, electricity, phone accounts that accumulate balances and then are paid in full at the end of the period.


E-Commerce Payment Systems: ONLINE CREDIT CARD TRANSACTION

• Online credit card transactions are processed in much the same way that in-store purchases are, except that the online merchants never see the actual card being used, no card impression taken, and no signature available.

• Five parties involved in an online credit card purchase: consumers, merchant, clearinghouse, merchant bank, consumer’s card issuing bank.


How an online credit card transaction works

ISM 41113: E-Commerce, By S. Sabraz Nawaz

39

Limitations of ONLINE CREDIT CARD TRANSACTION Systems

• Most important limitations involve security, merchant risk, administrative and transaction costs, and social equity.

• Neither merchant nor the consumer can be fully authenticated; a merchant can be criminal collecting card details.

• Consumers can repudiate the transaction.

• Administrative cost of setting up online credit card system etc.

• Transaction costs for merchants; roughly 3.5% of the purchase plus some transaction fee.

• Credit cards are not very democratic because millions of young adults do not have credit cards because they are not considered for cards.


Alternative Online Payment Systems

• Limitations of the online credit card payment systems have opened way for alternatives.

• Most significant one is PayPal which enables individuals and businesses with email accounts to make and receive limited payments.

• It is an example of online stored value payment systemthat permits consumers to make instant online payments to merchants and other individuals based on value stored in an online account.


Thank you


lesson 05 e-commerce security and payments · the process of transforming plain text or data into...

Documents