#5- MGT447 Ch-05 E-commerce Security and Payment SystemsLaudon 9e Updated 2023-24 working(1) (3).pdf

Full Transcript

Presented by
Prof. Adel Al-Alawi

Chapter-05
 Chapter 5
E-commerce Security and
Payment Systems

Copyright © 2013 Pearson
 Class Discussion

Cyberwar: MAD 2.0
◼ What is the difference between hacking and
cyberwar?
◼ Why has cyberwar become more potentially
devastating in the past decade?
◼ Why has Google been the target of so many
cyberattacks?
◼ Is it possible to find a political solution to
MAD 2.0?

Copyright © 2013 Pearson Education, Inc. Slide 5-3
 The E-commerce Security
Environment
◼ Overall size and losses of cybercrime
unclear
❖ Reporting issues

◼ 2011 CSI survey: 46% of respondent
firms detected breach in last year
◼ Underground economy marketplace:
❖ Stolen information stored on underground
economy servers

Copyright © 2013 Pearson Education, Inc. Slide 5-4
 What Is Good E-commerce Security?
◼ To achieve highest degree of security
❖ New technologies
❖ Organizational policies and procedures
❖ Industry standards and government laws

◼ Other factors
❖ Time value of money
❖ Cost of security vs. potential loss
❖ Security often breaks at weakest link

Copyright © 2013 Pearson Education, Inc. Slide 5-5
 The E-commerce Security Environment

Figure 5.1, Page 266

Copyright © 2013 Pearson Education, Inc. Slide 5-6
Table 5.3, Page 267
Copyright © 2013 Pearson Education, Inc. Slide 5-7
 The Tension Between Security and
Other Values
◼ Ease of use
❖ The more security measures added, the more
difficult a site is to use, and the slower it
becomes
◼ Public safety and criminal uses of the
Internet
❖ Use of technology by criminals to plan crimes or
threaten nation-state

Copyright © 2013 Pearson Education, Inc. Slide 5-8
 Security Threats in the
E-commerce Environment

◼ Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)

Copyright © 2013 Pearson Education, Inc. Slide 5-9
 A Typical E-commerce Transaction

Figure 5.2, Page 269

Copyright © 2013 Pearson Education, Inc. Slide 5-10
 Vulnerable Points in an E-commerce
Transaction

Figure 5.3, Page 270

Copyright © 2013 Pearson Education, Inc. Slide 5-11
Most Common Security Threats in the
E-commerce Environment
◼ Malicious code
❖ Viruses
❖ Worms
❖ Trojan horses
❖ Drive-by downloads
❖ Backdoors
❖ Bots, botnets
❖ Threats at both client and server levels

Copyright © 2013 Pearson Education, Inc. Slide 5-12
 Most Common Security Threats (cont.)
◼ Potentially unwanted programs (PUPs)
❖ Browser parasites
❖ Adware
❖ Spyware

◼ Phishing
❖ E-mail scams
❖ Social engineering
❖ Identity theft

Copyright © 2013 Pearson Education, Inc. Slide 5-13
 Most Common Security Threats (cont.)
◼ Hacking
❖ Hackers vs. crackers
❖ Types of hackers: White, black, grey hats
❖ Hacktivism

◼ Cybervandalism:
❖ Disrupting, defacing, destroying Web site

◼ Data breach
❖ Losing control over corporate information to
outsiders
Copyright © 2013 Pearson Education, Inc. Slide 5-14
 Most Common Security Threats (cont.)
◼ Credit card fraud/theft
❖ Hackers target merchant servers; use data to establish
credit under false identity
◼ Spoofing (Pharming)
◼ Spam (junk) Web sites
◼ Denial of service (DoS) attack
❖ Hackers flood site with useless traffic to overwhelm
network
◼ Distributed denial of service (DDoS) attack

Copyright © 2013 Pearson Education, Inc. Slide 5-15
 Insight on Business: Class Discussion

Sony: Press the Reset Button
◼ What organization and technical failures
led to the April 2011 data breach on the
PlayStation Network?
◼ Can Sony be criticized for waiting 3 days
to inform the FBI?
◼ Have you or anyone you know
experienced data theft?

Copyright © 2013 Pearson Education, Inc. Slide 5-16
 Most Common Security Threats (cont.)
◼ Sniffing
❖ Eavesdropping program that monitors information
traveling over a network
◼ Insider attacks
◼ Poorly designed server and client software
◼ Social network security issues
◼ Mobile platform security issues
❖ Same risks as any Internet device

◼ Cloud security issues
Copyright © 2013 Pearson Education, Inc. Slide 5-17
 Insight on Technology: Class Discussion

Think Your Smartphone Is Secure?
◼ What types of threats do smartphones face?
◼ Are there any particular vulnerabilities to this
type of device?
◼ What did Nicolas Seriot’s “Spyphone” prove?
◼ Are apps more or less likely to be subject to
threats than traditional PC software
programs?

Copyright © 2013 Pearson Education, Inc. Slide 5-18
 Technology Solutions
◼ Protecting Internet communications
❖ Encryption

◼ Securing channels of communication
❖ SSL, VPNs

◼ Protecting networks
❖ Firewalls

◼ Protecting servers and clients

Copyright © 2013 Pearson Education, Inc. Slide 5-19
 Tools Available to Achieve Site Security

Figure 5.5, Page 288

Copyright © 2013 Pearson Education, Inc. Slide 5-20
 Encryption
◼ Encryption
❖ Transforms data into cipher text readable only by
sender and receiver
❖ Secures stored information and information
transmission
❖ Provides 4 of 6 key dimensions of e-commerce security:
◼ Message integrity
◼ Nonrepudiation
◼ Authentication
◼ Confidentiality

Copyright © 2013 Pearson Education, Inc. Slide 5-21
 Symmetric Key Encryption
◼ Sender and receiver use same digital key to encrypt
and decrypt message
◼ Requires different set of keys for each transaction
◼ Strength of encryption
❖ Length of binary key used to encrypt data
◼ Advanced Encryption Standard (AES)
❖ Most widely used symmetric key encryption
❖ Uses 128-, 192-, and 256-bit encryption keys
◼ Other standards use keys with up to 2,048 bits

Copyright © 2013 Pearson Education, Inc. Slide 5-22
 Public Key Encryption
◼ Uses two mathematically related digital keys
❖ Public key (widely disseminated)
❖ Private key (kept secret by owner)

◼ Both keys used to encrypt and decrypt message
◼ Once key used to encrypt message, same key
cannot be used to decrypt message
◼ Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it

Copyright © 2013 Pearson Education, Inc. Slide 5-23
 Public Key Cryptography: A Simple Case

Figure 5.6, Page 291

Copyright © 2013 Pearson Education, Inc. Slide 5-24
 Public Key Encryption using Digital
Signatures and Hash Digests
◼ Hash function:
❖ Mathematical algorithm that produces fixed-length number called
message or hash digest
◼ Hash digest of message sent to recipient along with
message to verify integrity
◼ Hash digest and message encrypted with recipient’s
public key
◼ Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation

Copyright © 2013 Pearson Education, Inc. Slide 5-25
 Public Key Cryptography with Digital
Signatures

Figure 5.7, Page 293

Copyright © 2013 Pearson Education, Inc. Slide 5-26
 Digital Envelopes
◼ Address weaknesses of:
❖ Public key encryption
◼ Computationally slow, decreased transmission speed, increased
processing time
❖ Symmetric key encryption
◼ Insecure transmission lines

◼ Uses symmetric key encryption to encrypt
document
◼ Uses public key encryption to encrypt and
send symmetric key

Copyright © 2013 Pearson Education, Inc. Slide 5-27
 Creating a Digital Envelope

Figure 5.8, Page 294

Copyright © 2013 Pearson Education, Inc. Slide 5-28
 Digital Certificates and
Public Key Infrastructure (PKI)
◼ Digital certificate includes:
❖ Name of subject/company
❖ Subject’s public key
❖ Digital certificate serial number
❖ Expiration date, issuance date
❖ Digital signature of CA

◼ Public Key Infrastructure (PKI):
❖ CAs and digital certificate procedures
❖ PGP

Copyright © 2013 Pearson Education, Inc. Slide 5-29
 Digital Certificates and Certification
Authorities

Figure 5.9, Page 295
Copyright © 2013 Pearson Education, Inc. Slide 5-30
 Limits to Encryption Solutions
◼ Doesn’t protect storage of private key
❖ PKI not effective against insiders, employees
❖ Protection of private keys by individuals may be
haphazard
◼ No guarantee that verifying computer of
merchant is secure
◼ CAs are unregulated, self-selecting
organizations

Copyright © 2013 Pearson Education, Inc. Slide 5-31
 Insight on Society: Class Discussion

Web Dogs and Anonymity: Identity 2.0
◼ What are some of the benefits of continuing
the anonymity of the Internet?
◼ What are the disadvantages of an identity
system?
◼ Are there advantages to an identity system
beyond security?
◼ Who should control a central identity
system?

Copyright © 2013 Pearson Education, Inc. Slide 5-32
 Securing Channels of Communication
◼ Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
❖ Establishes a secure, negotiated client-server
session in which URL of requested document,
along with contents, is encrypted
◼ Virtual Private Network (VPN):
❖ Allows remote users to securely access internal
network via the Internet

Copyright © 2013 Pearson Education, Inc. Slide 5-33
Secure Negotiated Sessions Using SSL/TLS

Figure 5.10, Page 300
Copyright © 2013 Pearson Education, Inc. Slide 5-34
 Protecting Networks
◼ Firewall
❖ Hardware or software
❖ Uses security policy to filter packets
❖ Two main methods:
◼ Packet filters
◼ Application gateways

◼ Proxy servers (proxies)
❖ Software servers that handle all
communications originating from or being sent
to the Internet
Copyright © 2013 Pearson Education, Inc. Slide 5-35
 Firewalls and Proxy Servers

Figure 5.11, Page 303

Copyright © 2013 Pearson Education, Inc. Slide 5-36
 Protecting Servers and Clients
◼ Operating system security
enhancements
❖ Upgrades, patches

◼ Anti-virus software:
❖ Easiest and least expensive way to prevent
threats to system integrity
❖ Requires daily updates

Copyright © 2013 Pearson Education, Inc. Slide 5-37
 Management Policies, Business
Procedures, and Public Laws
◼ Worldwide, companies spend $60
billion on security hardware, software,
services
◼ Managing risk includes
❖ Technology
❖ Effective management policies
❖ Public laws and active enforcement

Copyright © 2013 Pearson Education, Inc. Slide 5-38
A Security Plan: Management Policies
◼ Risk assessment
◼ Security policy
◼ Implementation plan
❖ Security organization
❖ Access controls
❖ Authentication procedures, including biometrics
❖ Authorization policies, authorization management
systems
◼ Security audit

Copyright © 2013 Pearson Education, Inc. Slide 5-39
 Developing an E-commerce Security Plan

Figure 5.12, Page 305

Copyright © 2013 Pearson Education, Inc. Slide 5-40
 The Role of Laws and Public Policy
◼ Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
❖ National Information Infrastructure Protection Act of 1996
❖ USA Patriot Act
❖ Homeland Security Act
◼ Private and private-public cooperation
❖ CERT Coordination Center
❖ US-CERT
◼ Government policies and controls on encryption
software
❖ OECD, G7/G8, Council of Europe, Wassener Arrangement

Copyright © 2013 Pearson Education, Inc. Slide 5-41
 Types of Payment Systems
◼ Cash
❖ Most common form of payment
❖ Instantly convertible into other forms of value
❖ No float

◼ Checking transfer
❖ Second most common payment form in United States

◼ Credit card
❖ Credit card associations
❖ Issuing banks
❖ Processing centers

Copyright © 2013 Pearson Education, Inc. Slide 5-42
 Types of Payment Systems (cont.)
◼ Stored value
❖ Funds deposited into account, from which funds
are paid out or withdrawn as needed
❖ Debit cards, gift certificates
❖ Peer-to-peer payment systems

◼ Accumulating balance
❖ Accounts that accumulate expenditures and to
which consumers make period payments
❖ Utility, phone, American Express accounts

Copyright © 2013 Pearson Education, Inc. Slide 5-43
 Payment System Stakeholders
◼ Consumers
❖ Low-risk, low-cost, refutable, convenience, reliability

◼ Merchants
❖ Low-risk, low-cost, irrefutable, secure, reliable

◼ Financial intermediaries
❖ Secure, low-risk, maximizing profit

◼ Government regulators
❖ Security, trust, protecting participants and enforcing
reporting

Copyright © 2013 Pearson Education, Inc. Slide 5-44
 E-commerce Payment Systems
◼ Credit cards
❖ 44% of online payments in 2012 (U.S.)

◼ Debit cards
❖ 28% online payments in 2012 (U.S.)

◼ Limitations of online credit card
payment
❖ Security, merchant risk
❖ Cost
❖ Social equity

Copyright © 2013 Pearson Education, Inc. Slide 5-45
 How an Online Credit Transaction Works

Figure 5.14, Page 315
Copyright © 2013 Pearson Education, Inc. Slide 5-46
 Alternative Online Payment Systems
◼ Online stored value systems:
❖ Based on value stored in a consumer’s bank,
checking, or credit card account
❖ e.g., PayPal

◼ Other alternatives:
❖ Amazon Payments
❖ Google Checkout
❖ Bill Me Later
❖ WUPay, Dwolla, Stripe

Copyright © 2013 Pearson Education, Inc. Slide 5-47
 Mobile Payment Systems
◼ Use of mobile phones as payment devices
established in Europe, Japan, South Korea
◼ Near field communication (NFC)
❖ Short-range (2”) wireless for sharing data between
devices
◼ Expanding in United States
❖ Google Wallet
◼ Mobile app designed to work with NFC chips
❖ PayPal
❖ Square

Copyright © 2013 Pearson Education, Inc. Slide 5-48
 Digital Cash and Virtual Currencies
◼ Digital cash
❖ Based on algorithm that generates unique
tokens that can be used in “real” world
❖ e.g., Bitcoin

◼ Virtual currencies
❖ Circulate within internal virtual world
❖ e.g., Linden Dollars in Second Life, Facebook
Credits

Copyright © 2013 Pearson Education, Inc. Slide 5-49
 Electronic Billing Presentment and
Payment (EBPP)
◼ Online payment systems for monthly bills
◼ 50% of all bill payments
◼ Two competing EBPP business models:
❖ Biller-direct (dominant model)
❖ Consolidator

◼ Both models are supported by EBPP
infrastructure providers

Copyright © 2013 Pearson Education, Inc. Slide 5-50
Copyright © 2013 Pearson Education, Inc. Slide 5-51