1、E-Commerce 2017:Business.Technology.Society.Thirteenth Edition Chapter 5 E-Commerce Security and Payment SystemsLearning Objectives5.1 Understand the scope of e-commerce crime and security problems,the key dimensions of e-commerce security,and the tension between security and other values.5.2 Identi
2、fy the key security threats in the e-commerce environment.5.3 Describe how technology helps secure Internet communications channels and protect networks,servers,and clients.5.4 Appreciate the importance of policies,procedures,and laws in creating security.5.5 Identify the major e-commerce payment sy
3、stems in use today.5.6 Describe the features and functionality of electronic billing presentment and payment systems.Cyberwar:M A D 2.0 Class Discussion What is the difference between hacking and cyberwar?Why has cyberwar become potentially more devastating in the past decade?Is it possible to find
4、a political solution to M A D 2.0?What damage can be done by cyberweapons like Flame and Snake?The E-Commerce Security Environment Overall size and losses of cybercrime unclear Reporting issues 2016 survey:Average total cost of data breach to U.S.corporations was$4 million Low-cost web attack kits O
5、nline credit card fraud Underground economy marketplaceWhat Is Good E-Commerce Security?To achieve highest degree of security New technologies Organizational policies and procedures Industry standards and government laws Other factors Time value of money Cost of security vs.potential loss Security o
6、ften breaks at weakest linkFigure 5.1 The E-Commerce Security EnvironmentTable 5.3 Customer and Merchant Perspectives on the Different Dimensions of E-Commerce Security(1 of 2)DimensionCustomers PerspectiveMerchants PerspectiveIntegrityHas information I transmitted orreceived been altered?Has data o
7、n the site been altered without authorization?Is data being received from customers valid?NonrepudiationCan a party to an action with me later deny taking the action?Can a customer deny ordering products?AuthenticityWho am I dealing with?How can I be assured that the person or entity is who they cla
8、im to be?What is the real identity of the customer?Table 5.3 Customer and Merchant Perspectives on the Different Dimensions of E-Commerce Security(2 of 2)DimensionCustomers PerspectiveMerchants PerspectiveConfidentialityCan someone other than the intended recipient read my messages?Are messages or c
9、onfidential data accessible to anyone other than those authorized to view them?PrivacyCan I control the use of information about myself transmitted to ane-commerce merchant?What use,if any,can be made of personal data collected as part of an e-commerce transaction?Is the personal information of cust
10、omers being used in an unauthorized manner?AvailabilityCan I get access to the site?Is the site operational?The Tension Between Security and Other Values Ease of use The more security measures added,the more difficult a site is to use,and the slower it becomes Public safety and criminal uses of the
11、Internet Use of technology by criminals to plan crimes or threaten nation-stateSecurity Threats in the E-Commerce Environment Three key points of vulnerability in e-commerce environment:Client Server Communications pipeline(Internet communications channels)Figure 5.2 A Typical E-Commerce Transaction
12、Figure 5.3 Vulnerable Points in an E-Commerce TransactionMalicious CodeExploits and exploit kitsMaladvertisingDrive-by downloadsVirusesWormsRansomware(scareware)Trojan horsesBackdoorsBots,botnetsPotentially Unwanted Programs Browser parasites Monitor and change users browser Adware Used to call pop-
13、up ads Spyware Tracks users keystrokes,e-mails,I M s,etc.Phishing Any deceptive,online attempt by a third party to obtain confidential information for financial gain Tactics Social engineering E-mail scams Spear phishing Used for identity fraud and theftHacking,Cybervandalism,and Hacktivism Hacking
14、Hackers vs.crackers White hats,black hats,grey hats Tiger teams Goals:cybervandalism,data breaches Cybervandalism:Disrupting,defacing,destroying website HacktivismData Breaches When organizations lose control over corporate information to outsiders Nine mega-breaches in 2015 Leading causes Hacking E
15、mployee error/negligence Accidental e-mail/Internet exposure Insider theftInsight on Society:The Ashley Madison Data Breach Class Discussion What organizational and technological failures led to the data breach at Ashley Madison?What technical solutions are available to combat data breaches?Have you
16、 or anyone you know experienced a data breach?Credit Card Fraud/Theft Stolen credit card incidences about 0.8%of all online card transactions Hacking and looting of corporate servers is primary cause Central security issue:establishing customer identity E-signatures Multi-factor authentication Finge
17、rprint identificationIdentity Fraud/Theft Unauthorized use of another persons personal data for illegal financial benefit Social security number Drivers license Credit card numbers Usernames/passwords 2015:13 million U.S.consumers suffered identity fraudSpoofing,Pharming,and Spam(Junk)Websites Spoof
18、ing Attempting to hide true identity by using someone elses e-mail or I P address Pharming Automatically redirecting a web link to a different address,to benefit the hacker Spam(junk)websites Offer collection of advertisements for other sites,which may contain malicious codeSniffing and Man-In-The-M
19、iddle AttacksSniffer Eavesdropping program monitoring networks Can identify network trouble spots Can be used by criminals to steal proprietary informationE-mail wiretaps Recording e-mails at the mail server levelMan-in-the-middle attack Attacker intercepts and changes communication between two part
20、ies who believe they are communicating directlyDenial of Service(D o S)and Distributed Denial of Service(D D o S)AttacksDenial of service(D o S)attack Flooding website with pings and page requests Overwhelm and can shut down sites web servers Often accompanied by blackmail attempts BotnetsDistribute
21、d Denial of Service(D D o S)attack Uses hundreds or thousands of computers to attack target network Can use devices from Internet of Things,mobile devicesD D o S smokescreeningInsider Attacks Largest threat to business institutions come from insider embezzlement Employee access to privileged informa
22、tion Poor security procedures Insiders more likely to be source of cyberattacks than outsidersPoorly Designed Software Increase in complexity of and demand for software has led to increase in flaws and vulnerabilities S Q L injection attacks Zero-day vulnerability Heartbleed bugSocial Network Securi
23、ty Issues Social networks an environment for:Viruses,site takeovers,identity fraud,malware-loaded apps,click hijacking,phishing,spam Manual sharing scams Sharing of files that link to malicious sites Fake offerings,fake Like buttons,and fake appsMobile Platform Security Issues Little public awarenes
24、s of mobile device vulnerabilities 2015 survey:3 million apps of 10 million are malware Vishing Smishing S M S spoofing MadwareInsight on Technology:Think Your Smartphone Is Secure?Class Discussion Which mobile operating system do you think is more secure Apples i O S or Googles Android?What steps,i
25、f any,do you take to make your smartphone more secure?What qualities of apps make them a vulnerable security point in smartphone use?Cloud Security Issues D D o S attacks Infrastructure scanning Lower-tech phishing attacks yield passwords and access Use of cloud storage to connect linked accounts La
26、ck of encryption and strong security proceduresInternet of Things Security Issues Challenging environment to protect Vast quantity of interconnected links Near identical devices with long service lives Many devices have no upgrade features Little visibility into workings,data,or securityTechnology S
27、olutions Protecting Internet communications Encryption Securing channels of communication S S L,T L S,V P N s,Wi-Fi Protecting networks Firewalls,proxy servers,I D S,I P S Protecting servers and clients O S security,anti-virus softwareFigure 5.5 Tools Available to Achieve Site SecurityEncryption Tra
28、nsforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides 4 of 6 key dimensions of e-commerce security:Message integrity Nonrepudiation Authentication ConfidentialitySymmetric Key Cryptography Sender and receiver use same digi
29、tal key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption:Length of binary key Data Encryption Standard(D E S)Advanced Encryption Standard(A E S)Other standards use keys with up to 2,048 bitsPublic Key Cryptography Uses two mathematically relat
30、ed digital keys Public key(widely disseminated)Private key(kept secret by owner)Both keys used to encrypt and decrypt message Once key used to encrypt message,same key cannot be used to decrypt message Sender uses recipients public key to encrypt message;recipient uses private key to decrypt itFigur
31、e 5.6 Public Key Cryptography:A Simple CasePublic Key Cryptography Using Digital Signatures and Hash Digests Sender applies a mathematical algorithm(hash function)to a message and then encrypts the message and hash result with recipients public key Sender then encrypts the message and hash result wi
32、th senders private keycreating digital signaturefor authenticity,nonrepudiation Recipient first uses senders public key to authenticate message and then the recipients private key to decrypt the hash result and messageFigure 5.7 Public Key Cryptography with Digital SignaturesDigital Envelopes Addres
33、s weaknesses of:Public key cryptography Computationally slow,decreased transmission speed,increased processing time Symmetric key cryptography Insecure transmission lines Uses symmetric key cryptography to encrypt document Uses public key cryptography to encrypt and send symmetric keyFigure 5.8 Crea
34、ting a Digital EnvelopeDigital Certificates and Public Key Infrastructure(P K I)Digital certificate includes:Name of subject/company Subjects public key Digital certificate serial number Expiration date,issuance date Digital signature of C A Public Key Infrastructure(P K I):CAs and digital certifica
35、te procedures P G PFigure 5.9 Digital Certificates and Certification AuthoritiesLimitations of P K I Does not protect storage of private key P K I not effective against insiders,employees Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is s
36、ecure C A s are unregulated,self-selecting organizationsSecuring Channels of Communication Secure Sockets Layer(S S L)/Transport Layer Security(T L S)Establishes secure,negotiated clientserver session Virtual Private Network(V P N)Allows remote users to securely access internal network via the Inter
37、net Wireless(Wi-Fi)networks W P A2Figure 5.10 Secure Negotiated Sessions Using S S L/T L SProtecting NetworksFirewall Hardware or software that uses security policy to filter packets Packet filters Application gateways Next-generation firewallsProxy servers(proxies)Software servers that handle all c
38、ommunications from or sent to the InternetIntrusion detection systemsIntrusion prevention systemsFigure 5.11 Firewalls and Proxy ServersProtecting Servers and Clients Operating system security enhancements Upgrades,patches Anti-virus software Easiest and least expensive way to prevent threats to sys
39、tem integrity Requires daily updatesManagement Policies,Business Procedures,and Public Laws Worldwide,companies spend more than$81 billion on security hardware,software,services Managing risk includes:Technology Effective management policies Public laws and active enforcementA Security Plan:Manageme
40、nt Policies Risk assessment Security policy Implementation plan Security organization Access controls Authentication procedures,including biometrics Authorization policies,authorization management systems Security auditFigure 5.12 Developing an E-Commerce Security PlanThe Role of Laws and Public Pol
41、icy Laws that give authorities tools for identifying,tracing,prosecuting cybercriminals:U S A Patriot Act Homeland Security Act Private and private-public cooperation U S-C E R T C E R T Coordination Center Government policies and controls on encryption software O E C D,G7/G8,Council of Europe,Wasse
42、ner ArrangementE-Commerce Payment Systems In U.S.,credit and debit cards are primary online payment methods Other countries have different systems Online credit card purchasing cycle Credit card e-commerce enablers Limitations of online credit card payment Security,merchant risk Cost Social equityFi
43、gure 5.14 How an Online Credit Transaction WorksAlternative Online Payment Systems Online stored value systems:Based on value stored in a consumers bank,checking,or credit card account Example:PayPal Other alternatives:Pay with Amazon Visa Checkout,Mastercards MasterPass Bill Me Later W U Pay,Dwolla
44、,StripeMobile Payment Systems Use of mobile phones as payment devices Established in Europe and Asia Expanding in United States Apple Pay,Android Pay,Samsung Pay,PayPal,Square Near field communication(N F C)Social/Mobile peer-to-peer payment systems Sending money through mobile app or website Regula
45、tion of mobile wallets and rechargeable cardsDigital Cash and Virtual Currencies Digital cash Based on algorithm that generates unique tokens that can be used in“real”world Example:Bitcoin Virtual currencies Circulate within internal virtual world Example:Linden Dollars in Second Life,Facebook Credi
46、ts Typically used for purchasing virtual goodsInsight on Business:Bitcoin Class Discussion What are some of the benefits of using a digital currency?What are the risks involved to the user?What are the political and economic repercussions of a digital currency?Have you or anyone you know ever used Bitcoin?Electronic Billing Presentment and Payment(E B P P)Online payment systems for monthly bills Over 55%of all bill payments Four E B P P business models:Online banking model(most widely used)Biller-direct Mobile Consolidator All models are supported by E B P P infrastructure providers
