E-commerce Security & Payment Systems PDF
Document Details
Uploaded by Deleted User
Kenneth C. Laudon and Carol Guercio Traver
Tags
Summary
This document covers topics in e-commerce security and payment systems. It analyzes different security dimensions and discusses issues relating to e-commerce security threats, technologies, and policies.
Full Transcript
3/11/2024 E-commerce 2023–2024: business. technology. society. Eighteenth Edition Chapter 5 E-commerce Security and Payment S...
3/11/2024 E-commerce 2023–2024: business. technology. society. Eighteenth Edition Chapter 5 E-commerce Security and Payment Systems © 2023 Pearson Education Ltd. All Rights Reserved 1 Learning Objectives 5.1 Understand the scope of e-commerce crime and security problems, the key dimensions of e-commerce security, and the tension between security and other values. 5.2 Identify the key security threats in the e-commerce environment. 5.3 Describe how technology helps secure Internet communications channels and protect networks, servers, and clients. 5.4 Appreciate the importance of policies, procedures, and laws in creating security. 5.5 Identify the major e-commerce payment systems in use today. © 2023 Pearson Education Ltd. All Rights Reserved 2 What Is Good E-commerce Security? To achieve highest degree of security, use: – New technologies – Organizational policies and procedures – Industry standards and government laws Other factors – Time value of money – Cost of security v s potential loss e rs u – Security often breaks at weakest link © 2023 Pearson Education Ltd. All Rights Reserved 3 1 3/11/2024 Figure 5.1 The E-commerce Security Environment © 2023 Pearson Education Ltd. All Rights Reserved 4 Table 5.3 Customer and Merchant Perspectives on the Different Dimensions of E-commerce Security Dimension Customer’s Perspective Merchant’s Perspective Integrity Has information I transmitted or Has data been altered without authorization? Is received been altered? data being received from customers valid? Nonrepudiation Can a party to an action with me Can a customer deny ordering products? later deny taking the action? Authenticity Who am I dealing with? How can I What is the real identity of the customer? be assured that the person or entity is who they claim to be? Confidentiality Can someone other than the Are messages or confidential data accessible to intended recipient read my anyone other than those authorized to view messages? them? Privacy Can I control the use of personal What use, if any, can be made of personal data information that I am transmitting to collected as part of an e-commerce transaction? an e-commerce merchant? Is the personal information of customers being used in an unauthorized manner? Availability Can I access to site or app? Is the site or app operational? © 2023 Pearson Education Ltd. All Rights Reserved 5 The Tension Between Security and Other Values Security is not an unmitigated good. Tensions between security and ease of use – The more security measures added, the more difficult a site is to use, and the slower it becomes – Too much security can harm profitability; not enough can put a business out of business © 2023 Pearson Education Ltd. All Rights Reserved 6 2 3/11/2024 Security Threats in the E-commerce Environment Three key points of vulnerability in e-commerce environment – Client – Server – Communications pipeline (Internet communications channels) © 2023 Pearson Education Ltd. All Rights Reserved 7 Figure 5.2 Vulnerable Points in an E-commerce Transaction © 2023 Pearson Education Ltd. All Rights Reserved 8 Malicious Code Exploits and exploit kits Drive-by downloads Malvertising Viruses Worms Ransomware Trojan horses Backdoors Bots and botnets © 2023 Pearson Education Ltd. All Rights Reserved 9 3 3/11/2024 Phishing Any deceptive, online attempt by a third party to obtain confidential information for financial gain Tactics – Social engineering – E-mail scams and phishing – Spear phishing Used for identity fraud and theft © 2023 Pearson Education Ltd. All Rights Reserved 10 Hacking, Cybervandalism, and Hacktivism Hacking – Hackers v s crackers e rs u – Goals: cybervandalism, data breaches Cybervandalism: – Disrupting, defacing, destroying Web site Hacktivism © 2023 Pearson Education Ltd. All Rights Reserved 11 Data Breaches Organization loses control over corporate information to outsiders More than 1,860 breaches and exposures in 2021, 68% increase over 2020 – Leading causes Malicious code Human and system errors © 2023 Pearson Education Ltd. All Rights Reserved 12 4 3/11/2024 Credit Card Fraud/Theft One of most feared occurrences, despite federal law limits on liability Systematic hacking and looting of corporate servers is primary cause Central security issue: establishing customer identity – E-signatures – Multi-factor authentication – Fingerprint identification © 2023 Pearson Education Ltd. All Rights Reserved 13 Identity Fraud/Theft Unauthorized use of another person’s personal data for illegal financial benefit – IC number – Driver’s license – Credit card numbers – Usernames/passwords © 2023 Pearson Education Ltd. All Rights Reserved 14 Spoofing, Pharming, and Spam (Junk) Websites Spoofing – Attempting to hide one’s true identity by using someone else’s e-mail or IP address Pharming – Automatically redirecting a URL to a different address, to benefit the hacker Spam (junk) websites – Offer collection of advertisements for other sites, which may contain malicious code © 2023 Pearson Education Ltd. All Rights Reserved 15 5 3/11/2024 Sniffing Sniffer – Eavesdropping program monitoring networks – Can identify network trouble spots – Can be used by criminals to steal proprietary information © 2023 Pearson Education Ltd. All Rights Reserved 16 Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks Denial of service (DoS) attack – Flooding website with pings and page request – Overwhelm and can shut down site’s web servers – Often accompanied by blackmail attempts Distributed Denial of Service (DDoS) attack – Uses hundreds or thousands of computers to attack target network – Can use devices from Internet of Things, mobile devices – DDoS smokescreening uses DDoS attack as a distraction to insert malware or viruses or to steal data © 2023 Pearson Education Ltd. All Rights Reserved 17 Insider Attacks Biggest financial threat to businesses comes from insider embezzlement Employee access to privileged information Poor security procedures Insiders more likely to be source of cyberattacks than outsiders © 2023 Pearson Education Ltd. All Rights Reserved 18 6 3/11/2024 Social Network Security Issues Social networks an environment for: – Viruses, site takeovers, identity fraud, malware- loaded apps, click hijacking, phishing, spam Manual sharing scams – Sharing of files that link to malicious sites Fake offerings, fake Like buttons, and fake apps © 2023 Pearson Education Ltd. All Rights Reserved 19 Mobile Platform Security Issues Mobile devices face same risks as any Internet-connected devices as well as some additional riskses Majority of mobile malware targets Android devices – Android apps can be downloaded from third-party stores that may be poorly regulated Apple iOS devices increasingly being targeted as well Threats include: – Rogue apps – Browser-based malware – SIM card weaknesses enable phone hijacking – Smishing and SMS spoofing © 2023 Pearson Education Ltd. All Rights Reserved 20 Cloud Security Issues DDoS attacks Safeguarding data maintained in a public cloud a major concern Most organizations don’t take full responsibility for the security of their data in the cloud © 2023 Pearson Education Ltd. All Rights Reserved 21 7 3/11/2024 Technology Solutions © 2023 Pearson Education Ltd. All Rights Reserved 22 Encryption Encryption – Transforms data into cipher text readable only by sender and receiver – Secures stored information and information transmission – Provides 4 of 6 key dimensions of e-commerce security: Message integrity Nonrepudiation Authentication Confidentiality © 2023 Pearson Education Ltd. All Rights Reserved 23 Symmetric Key Cryptography Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption: Length of binary key Data Encryption Standard (DES) © 2023 Pearson Education Ltd. All Rights Reserved 24 8 3/11/2024 Public Key Cryptography Uses two mathematically related digital keys – Public key (widely disseminated) – Private key (kept secret by owner) Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it © 2023 Pearson Education Ltd. All Rights Reserved 25 Figure 5.4 Public Key Cryptography: A Simple Case © 2023 Pearson Education Ltd. All Rights Reserved 26 Public Key Cryptography Using Digital Signatures and Hash Digests Sender applies a mathematical algorithm (hash function) to a message and then encrypts the message and hash result with recipient’s public key Sender then encrypts the message and hash result with sender’s private key-creating digital signature-for authenticity, nonrepudiation Recipient first uses sender’s public key to authenticate message and then the recipient’s private key to decrypt the hash result and message © 2023 Pearson Education Ltd. All Rights Reserved 27 9 3/11/2024 Figure 5.5 Public Key Cryptography With Digital Signatures © 2023 Pearson Education Ltd. All Rights Reserved 28 Digital Certificates and Public Key Infrastructure (PKI) Digital certificate includes: – Name of subject/company – Subject’s public key – Digital certificate serial number – Expiration date, issuance date – Digital signature of Certification Authority Public Key Infrastructure (PKI) – Certification Authorities and digital certificate procedures © 2023 Pearson Education Ltd. All Rights Reserved 29 Figure 5.6 Digital Certificates and Certification Authorities © 2023 Pearson Education Ltd. All Rights Reserved 30 10 3/11/2024 Limitations of PKI Doesn’t protect storage of private key – PKI not effective against insiders, employees – Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is secure © 2023 Pearson Education Ltd. All Rights Reserved 31 Securing Channels of Communication Transport Layer Security (TLS) and HTTPS – TLS establishes secure, negotiated client-server session – Used in conjunction with HTTPS, secure version of HTTP Virtual Private Network (VPN) – Allows remote users to securely access internal network via the Internet © 2023 Pearson Education Ltd. All Rights Reserved 32 Figure 5.7 Secure Negotiated Sessions Using TLS © 2023 Pearson Education Ltd. All Rights Reserved 33 11 3/11/2024 Protecting Networks Firewall – Hardware or software that uses security policy to filter packets Packet filters Application gateways – Next-generation firewalls Proxy servers (proxies) – Software servers that handle all communications from or sent to the Internet Intrusion detection systems Intrusion prevention systems © 2023 Pearson Education Ltd. All Rights Reserved 34 Figure 5.8 Firewalls and Proxy Servers © 2023 Pearson Education Ltd. All Rights Reserved 35 A Security Plan: Management Policies Risk assessment Security policy Implementation plan – Security organization – Access controls – Authentication procedures, including biometrics – Authorization policies, authorization management systems Security audit © 2023 Pearson Education Ltd. All Rights Reserved 36 12 3/11/2024 Figure 5.9 Developing an E-commerce Security Plan © 2023 Pearson Education Ltd. All Rights Reserved 37 E-commerce Payment Systems Credit and debit cards primary online payment methods. Parties involved: consumers, merchants, clearinghouse, merchant bank, card-issuing bank Credit card e-commerce enablers Limitations of online credit card payment: – Merchants: security, merchant risk, cost – Consumers: social equity © 2023 Pearson Education Ltd. All Rights Reserved 38 Figure 5.10 How an Online Credit Card Transaction Works © 2023 Pearson Education Ltd. All Rights Reserved 39 13 3/11/2024 Alternative Online Payment Systems Online stored value systems – Based on value stored in a consumer’s bank, checking, or credit card account – Example: PayPal Other alternatives? Buy Now Pay Later (BNPL) services – Examples: SPayLater © 2023 Pearson Education Ltd. All Rights Reserved 40 Mobile Payment Systems Use of mobile phones as payment devices – Established in Europe and Asia – Expanding in United States Near field communication (NFC) and QR codes Different types of mobile wallets – Universal proximity mobile wallet apps, such as Apple Pay, Google Pay, Samsung Pay – Branded store proximity wallet apps, offered by ZUS, Starbucks, others © 2023 Pearson Education Ltd. All Rights Reserved 41 Copyright This work is protected by United Kingdom copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials. © 2023 Pearson Education Ltd. All Rights Reserved 42 14
