#5- MGT447 Ch-05 E-commerce Security and Payment SystemsLaudon 9e Updated 2023-24 working(1) - Tagged.pdf

Full Transcript

 Chapter 5
E-commerce Security and
Payment Systems

Copyright © 2013 Pearson Education, Inc.
 Class Discussion

Cyberwar: MAD 2.0
What is the difference between hacking and
cyberwar?
Why has cyberwar become more potentially
devastating in the past decade?
Why has Google been the target of so many
cyberattacks?
Is it possible to find a political solution to
MAD 2.0?

Copyright © 2013 Pearson Education, Inc. Slide 5-3
 The E-commerce Security
Environment
Overall size and losses of cybercrime
unclear
 Reporting issues

2011 CSI survey: 46% of respondent firms
detected breach in last year
Underground economy marketplace:
 Stolen information stored on underground
economy servers

Copyright © 2013 Pearson Education, Inc. Slide 5-4
 What Is Good E-commerce Security?
To achieve highest degree of security
 New technologies
 Organizational policies and procedures
 Industry standards and government laws

Other factors
 Time value of money
 Cost of security vs. potential loss
 Security often breaks at weakest link

Copyright © 2013 Pearson Education, Inc. Slide 5-5
 The E-commerce Security Environment

Figure 5.1, Page 266

Copyright © 2013 Pearson Education, Inc. Slide 5-6
Table 5.3, Page 267

Copyright © 2013 Pearson Education, Inc. Slide 5-7
 The Tension Between Security and
Other Values
Ease of use
 The more security measures added, the more
difficult a site is to use, and the slower it
becomes
Public safety and criminal uses of the
Internet
 Use of technology by criminals to plan crimes or
threaten nation-state

Copyright © 2013 Pearson Education, Inc. Slide 5-8
 Security Threats in the
E-commerce Environment
Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)

Copyright © 2013 Pearson Education, Inc. Slide 5-9
 A Typical E-commerce Transaction

Figure 5.2, Page 269

Copyright © 2013 Pearson Education, Inc. Slide 5-10
 Vulnerable Points in an E-commerce
Transaction

Figure 5.3, Page 270

Copyright © 2013 Pearson Education, Inc. Slide 5-11
Most Common Security Threats in the

E-commerce
Malicious code Environment
 Viruses
 Worms
 Trojan horses
 Drive-by downloads
 Backdoors
 Bots, botnets
 Threats at both client and server levels

Copyright © 2013 Pearson Education, Inc. Slide 5-12
 Most Common Security Threats (cont.)
Potentially unwanted programs (PUPs)
 Browser parasites
 Adware
 Spyware

Phishing
 E-mail scams
 Social engineering
 Identity theft

Copyright © 2013 Pearson Education, Inc. Slide 5-13
 Most Common Security Threats (cont.)
Hacking
 Hackers vs. crackers
 Types of hackers: White, black, grey hats
 Hacktivism

Cybervandalism:
 Disrupting, defacing, destroying Web site

Data breach
 Losing control over corporate information to
outsiders

Copyright © 2013 Pearson Education, Inc. Slide 5-14
 Most Common Security Threats (cont.)
Credit card fraud/theft
 Hackers target merchant servers; use data to establish
credit under false identity
Spoofing (Pharming)
Spam (junk) Web sites
Denial of service (DoS) attack
 Hackers flood site with useless traffic to overwhelm
network
Distributed denial of service (DDoS) attack

Copyright © 2013 Pearson Education, Inc. Slide 5-15
 Insight on Business: Class Discussion

Sony: Press the Reset Button
What organization and technical failures
led to the April 2011 data breach on the
PlayStation Network?
Can Sony be criticized for waiting 3 days
to inform the FBI?
Have you or anyone you know
experienced data theft?

Copyright © 2013 Pearson Education, Inc. Slide 5-16
 Most Common Security Threats (cont.)
Sniffing
 Eavesdropping program that monitors information
traveling over a network
Insider attacks
Poorly designed server and client software
Social network security issues
Mobile platform security issues
 Same risks as any Internet device

Cloud security issues

Copyright © 2013 Pearson Education, Inc. Slide 5-17
 Insight on Technology: Class Discussion

Think Your Smartphone Is Secure?
What types of threats do smartphones face?
Are there any particular vulnerabilities to this
type of device?
What did Nicolas Seriot’s “Spyphone” prove?
Are apps more or less likely to be subject to
threats than traditional PC software
programs?

Copyright © 2013 Pearson Education, Inc. Slide 5-18
 Technology Solutions
Protecting Internet communications
 Encryption

Securing channels of communication
 SSL, VPNs

Protecting networks
 Firewalls

Protecting servers and clients

Copyright © 2013 Pearson Education, Inc. Slide 5-19
 Tools Available to Achieve Site Security

Figure 5.5, Page 288

Copyright © 2013 Pearson Education, Inc. Slide 5-20
 Encryption
Encryption
 Transforms data into cipher text readable only by
sender and receiver
 Secures stored information and information
transmission
 Provides 4 of 6 key dimensions of e-commerce security:
Message integrity
Nonrepudiation
Authentication
Confidentiality

Copyright © 2013 Pearson Education, Inc. Slide 5-21
 Symmetric Key Encryption
Sender and receiver use same digital key to encrypt
and decrypt message
Requires different set of keys for each transaction
Strength of encryption
 Length of binary key used to encrypt data
Advanced Encryption Standard (AES)
 Most widely used symmetric key encryption
 Uses 128-, 192-, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits

Copyright © 2013 Pearson Education, Inc. Slide 5-22
 Public Key Encryption
Uses two mathematically related digital keys
 Public key (widely disseminated)
 Private key (kept secret by owner)

Both keys used to encrypt and decrypt message
Once key used to encrypt message, same key
cannot be used to decrypt message
Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it

Copyright © 2013 Pearson Education, Inc. Slide 5-23
 Public Key Cryptography: A Simple Case

Figure 5.6, Page 291

Copyright © 2013 Pearson Education, Inc. Slide 5-24
 Public Key Encryption using Digital
Signatures and Hash Digests
Hash function:
 Mathematical algorithm that produces fixed-length number called
message or hash digest
Hash digest of message sent to recipient along with
message to verify integrity
Hash digest and message encrypted with recipient’s
public key
Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation

Copyright © 2013 Pearson Education, Inc. Slide 5-25
 Public Key Cryptography with Digital
Signatures

Figure 5.7, Page 293

Copyright © 2013 Pearson Education, Inc. Slide 5-26
 Digital Envelopes
Address weaknesses of:
 Public key encryption
Computationally slow, decreased transmission speed, increased
processing time
 Symmetric key encryption
Insecure transmission lines
Uses symmetric key encryption to encrypt
document
Uses public key encryption to encrypt and send
symmetric key

Copyright © 2013 Pearson Education, Inc. Slide 5-27
 Creating a Digital Envelope

Figure 5.8, Page 294

Copyright © 2013 Pearson Education, Inc. Slide 5-28
 Digital Certificates and
Public Key Infrastructure (PKI)
Digital certificate includes:
 Name of subject/company
 Subject’s public key
 Digital certificate serial number
 Expiration date, issuance date
 Digital signature of CA

Public Key Infrastructure (PKI):
 CAs and digital certificate procedures
 PGP

Copyright © 2013 Pearson Education, Inc. Slide 5-29
 Digital Certificates and Certification
Authorities

Figure 5.9, Page 295

Copyright © 2013 Pearson Education, Inc. Slide 5-30
 Limits to Encryption Solutions
Doesn’t protect storage of private key
 PKI not effective against insiders, employees
 Protection of private keys by individuals may be
haphazard
No guarantee that verifying computer of
merchant is secure
CAs are unregulated, self-selecting
organizations

Copyright © 2013 Pearson Education, Inc. Slide 5-31
 Insight on Society: Class Discussion

Web Dogs and Anonymity: Identity 2.0
What are some of the benefits of continuing
the anonymity of the Internet?
What are the disadvantages of an identity
system?
Are there advantages to an identity system
beyond security?
Who should control a central identity system?

Copyright © 2013 Pearson Education, Inc. Slide 5-32
 Securing Channels of Communication
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
 Establishes a secure, negotiated client-server
session in which URL of requested document,
along with contents, is encrypted
Virtual Private Network (VPN):
 Allows remote users to securely access internal
network via the Internet

Copyright © 2013 Pearson Education, Inc. Slide 5-33
Secure Negotiated Sessions Using SSL/TLS

Figure 5.10, Page 300

Copyright © 2013 Pearson Education, Inc. Slide 5-34
 Protecting Networks
Firewall
 Hardware or software
 Uses security policy to filter packets
 Two main methods:
Packet filters
Application gateways

Proxy servers (proxies)
 Software servers that handle all communications
originating from or being sent to the Internet

Copyright © 2013 Pearson Education, Inc. Slide 5-35
 Firewalls and Proxy Servers

Figure 5.11, Page 303

Copyright © 2013 Pearson Education, Inc. Slide 5-36
 Protecting Servers and Clients
Operating system security
enhancements
 Upgrades, patches

Anti-virus software:
 Easiest and least expensive way to prevent
threats to system integrity
 Requires daily updates

Copyright © 2013 Pearson Education, Inc. Slide 5-37
 Management Policies, Business
Procedures, and Public Laws
Worldwide, companies spend $60
billion on security hardware, software,
services
Managing risk includes
 Technology
 Effective management policies
 Public laws and active enforcement

Copyright © 2013 Pearson Education, Inc. Slide 5-38
A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan
 Security organization
 Access controls
 Authentication procedures, including biometrics
 Authorization policies, authorization management systems

Security audit

Copyright © 2013 Pearson Education, Inc. Slide 5-39
 Developing an E-commerce Security Plan

Figure 5.12, Page 305

Copyright © 2013 Pearson Education, Inc. Slide 5-40
 The Role of Laws and Public Policy
Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
 National Information Infrastructure Protection Act of 1996
 USA Patriot Act
 Homeland Security Act
Private and private-public cooperation
 CERT Coordination Center
 US-CERT
Government policies and controls on encryption
software
 OECD, G7/G8, Council of Europe, Wassener Arrangement

Copyright © 2013 Pearson Education, Inc. Slide 5-41
 Types of Payment Systems
Cash
 Most common form of payment
 Instantly convertible into other forms of value
 No float

Checking transfer
 Second most common payment form in United States

Credit card
 Credit card associations
 Issuing banks
 Processing centers

Copyright © 2013 Pearson Education, Inc. Slide 5-42
 Types of Payment Systems (cont.)
Stored value
 Funds deposited into account, from which funds
are paid out or withdrawn as needed
 Debit cards, gift certificates
 Peer-to-peer payment systems

Accumulating balance
 Accounts that accumulate expenditures and to
which consumers make period payments
 Utility, phone, American Express accounts

Copyright © 2013 Pearson Education, Inc. Slide 5-43
 Payment System Stakeholders
Consumers
 Low-risk, low-cost, refutable, convenience, reliability

Merchants
 Low-risk, low-cost, irrefutable, secure, reliable

Financial intermediaries
 Secure, low-risk, maximizing profit

Government regulators
 Security, trust, protecting participants and enforcing
reporting

Copyright © 2013 Pearson Education, Inc. Slide 5-44
 E-commerce Payment Systems
Credit cards
 44% of online payments in 2012 (U.S.)

Debit cards
 28% online payments in 2012 (U.S.)

Limitations of online credit card payment
 Security, merchant risk
 Cost
 Social equity

Copyright © 2013 Pearson Education, Inc. Slide 5-45
 How an Online Credit Transaction Works

Figure 5.14, Page 315

Copyright © 2013 Pearson Education, Inc. Slide 5-46
 Alternative Online Payment Systems
Online stored value systems:
 Based on value stored in a consumer’s bank,
checking, or credit card account
 e.g., PayPal

Other alternatives:
 Amazon Payments
 Google Checkout
 Bill Me Later
 WUPay, Dwolla, Stripe

Copyright © 2013 Pearson Education, Inc. Slide 5-47
 Mobile Payment Systems
Use of mobile phones as payment devices
established in Europe, Japan, South Korea
Near field communication (NFC)
 Short-range (2”) wireless for sharing data between devices

Expanding in United States
 Google Wallet
Mobile app designed to work with NFC chips
 PayPal
 Square

Copyright © 2013 Pearson Education, Inc. Slide 5-48
 Digital Cash and Virtual Currencies
Digital cash
 Based on algorithm that generates unique
tokens that can be used in “real” world
 e.g., Bitcoin

Virtual currencies
 Circulate within internal virtual world
 e.g., Linden Dollars in Second Life, Facebook
Credits

Copyright © 2013 Pearson Education, Inc. Slide 5-49
 Electronic Billing Presentment and
Payment (EBPP)
Online payment systems for monthly bills
50% of all bill payments
Two competing EBPP business models:
 Biller-direct (dominant model)
 Consolidator

Both models are supported by EBPP
infrastructure providers

Copyright © 2013 Pearson Education, Inc. Slide 5-50
Copyright © 2013 Pearson Education, Inc. Slide 5-51