1、E-Commerce 2017:Business.Technology.Society.Thirteenth EditionChapter 5E-Commerce Security and Payment SystemsLearning Objectives5.1 Understand the scope of e-commerce crime and security problems,the key dimensions of e-commerce security,and the tension between security and other values.5.2 Identify
2、 the key security threats in the e-commerce environment.5.3 Describe how technology helps secure Internet communications channels and protect networks,servers,and clients.5.4 Appreciate the importance of policies,procedures,and laws in creating security.5.5 Identify the major e-commerce payment syst
3、ems in use today.5.6 Describe the features and functionality of electronic billing presentment and payment systems.Cyberwar:M A D 2.0 Class Discussion What is the difference between hacking and cyberwar?Why has cyberwar become potentially more devastating in the past decade?Is it possible to find a
4、political solution to M A D 2.0?What damage can be done by cyberweapons like Flame and Snake?The E-Commerce Security Environment Overall size and losses of cybercrime unclear Reporting issues 2016 survey:Average total cost of data breach to U.S.corporations was$4 million Low-cost web attack kits Onl
5、ine credit card fraud Underground economy marketplaceWhat Is Good E-Commerce Security?To achieve highest degree of security New technologies Organizational policies and procedures Industry standards and government laws Other factors Time value of money Cost of security vs.potential loss Security oft
6、en breaks at weakest linkFigure 5.1 The E-Commerce Security EnvironmentTable 5.3 Customer and Merchant Perspectives on the Different Dimensions of E-Commerce Security(1 of 2)DimensionCustomers PerspectiveMerchants PerspectiveIntegrityHas information I transmitted orreceived been altered?Has data on
7、the site been altered without authorization?Is data being received from customers valid?NonrepudiationCan a party to an action with me later deny taking the action?Can a customer deny ordering products?AuthenticityWho am I dealing with?How can I be assured that the person or entity is who they claim
8、 to be?What is the real identity of the customer?Table 5.3 Customer and Merchant Perspectives on the Different Dimensions of E-Commerce Security(2 of 2)DimensionCustomers PerspectiveMerchants PerspectiveConfidentialityCan someone other than the intended recipient read my messages?Are messages or con
9、fidential data accessible to anyone other than those authorized to view them?PrivacyCan I control the use of information about myself transmitted to ane-commerce merchant?What use,if any,can be made of personal data collected as part of an e-commerce transaction?Is the personal information of custom
10、ers being used in an unauthorized manner?AvailabilityCan I get access to the site?Is the site operational?The Tension Between Security and Other Values Ease of use The more security measures added,the more difficult a site is to use,and the slower it becomes Public safety and criminal uses of the In
11、ternet Use of technology by criminals to plan crimes or threaten nation-stateSecurity Threats in the E-Commerce Environment Three key points of vulnerability in e-commerce environment:Client Server Communications pipeline(Internet communications channels)Figure 5.2 A Typical E-Commerce TransactionFi
12、gure 5.3 Vulnerable Points in an E-Commerce TransactionMalicious Code Exploits and exploit kits Maladvertising Drive-by downloads Viruses Worms Ransomware(scareware)Trojan horses Backdoors Bots,botnetsPotentially Unwanted Programs Browser parasites Monitor and change users browser Adware Used to cal
13、l pop-up ads Spyware Tracks users keystrokes,e-mails,I M s,etc.Phishing Any deceptive,online attempt by a third party to obtain confidential information for financial gain Tactics Social engineering E-mail scams Spear phishing Used for identity fraud and theftHacking,Cybervandalism,and Hacktivism Ha
14、cking Hackers vs.crackers White hats,black hats,grey hats Tiger teams Goals:cybervandalism,data breaches Cybervandalism:Disrupting,defacing,destroying website HacktivismData Breaches When organizations lose control over corporate information to outsiders Nine mega-breaches in 2015 Leading causes Hac
15、king Employee error/negligence Accidental e-mail/Internet exposure Insider theftInsight on Society:The Ashley Madison Data Breach Class Discussion What organizational and technological failures led to the data breach at Ashley Madison?What technical solutions are available to combat data breaches?Ha
16、ve you or anyone you know experienced a data breach?Credit Card Fraud/Theft Stolen credit card incidences about 0.8%of all online card transactions Hacking and looting of corporate servers is primary cause Central security issue:establishing customer identity E-signatures Multi-factor authentication
17、 Fingerprint identificationIdentity Fraud/Theft Unauthorized use of another persons personal data for illegal financial benefit Social security number Drivers license Credit card numbers Usernames/passwords 2015:13 million U.S.consumers suffered identity fraudSpoofing,Pharming,and Spam(Junk)Websites
18、 Spoofing Attempting to hide true identity by using someone elses e-mail or I P address Pharming Automatically redirecting a web link to a different address,to benefit the hacker Spam(junk)websites Offer collection of advertisements for other sites,which may contain malicious codeSniffing and Man-In
19、-The-Middle Attacks Sniffer Eavesdropping program monitoring networks Can identify network trouble spots Can be used by criminals to steal proprietary information E-mail wiretaps Recording e-mails at the mail server level Man-in-the-middle attack Attacker intercepts and changes communication between
20、 two parties who believe they are communicating directlyDenial of Service(D o S)and Distributed Denial of Service(D D o S)Attacks Denial of service(D o S)attack Flooding website with pings and page requests Overwhelm and can shut down sites web servers Often accompanied by blackmail attempts Botnets
21、 Distributed Denial of Service(D D o S)attack Uses hundreds or thousands of computers to attack target network Can use devices from Internet of Things,mobile devices D D o S smokescreeningInsider Attacks Largest threat to business institutions come from insider embezzlement Employee access to privil
22、eged information Poor security procedures Insiders more likely to be source of cyberattacks than outsidersPoorly Designed Software Increase in complexity of and demand for software has led to increase in flaws and vulnerabilities S Q L injection attacks Zero-day vulnerability Heartbleed bugSocial Ne
23、twork Security Issues Social networks an environment for:Viruses,site takeovers,identity fraud,malware-loaded apps,click hijacking,phishing,spam Manual sharing scams Sharing of files that link to malicious sites Fake offerings,fake Like buttons,and fake appsMobile Platform Security Issues Little pub
24、lic awareness of mobile device vulnerabilities 2015 survey:3 million apps of 10 million are malware Vishing Smishing S M S spoofing MadwareInsight on Technology:Think Your Smartphone Is Secure?Class Discussion Which mobile operating system do you think is more secure Apples i O S or Googles Android?
25、What steps,if any,do you take to make your smartphone more secure?What qualities of apps make them a vulnerable security point in smartphone use?Cloud Security Issues D D o S attacks Infrastructure scanning Lower-tech phishing attacks yield passwords and access Use of cloud storage to connect linked
26、 accounts Lack of encryption and strong security proceduresInternet of Things Security Issues Challenging environment to protect Vast quantity of interconnected links Near identical devices with long service lives Many devices have no upgrade features Little visibility into workings,data,or security
27、Technology Solutions Protecting Internet communications Encryption Securing channels of communication S S L,T L S,V P N s,Wi-Fi Protecting networks Firewalls,proxy servers,I D S,I P S Protecting servers and clients O S security,anti-virus softwareFigure 5.5 Tools Available to Achieve Site SecurityEn
28、cryption Transforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides 4 of 6 key dimensions of e-commerce security:Message integrity Nonrepudiation Authentication ConfidentialitySymmetric Key Cryptography Sender and receiver u
29、se same digital key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption:Length of binary key Data Encryption Standard(D E S)Advanced Encryption Standard(A E S)Other standards use keys with up to 2,048 bitsPublic Key Cryptography Uses two mathemat
30、ically related digital keys Public key(widely disseminated)Private key(kept secret by owner)Both keys used to encrypt and decrypt message Once key used to encrypt message,same key cannot be used to decrypt message Sender uses recipients public key to encrypt message;recipient uses private key to dec
31、rypt itFigure 5.6 Public Key Cryptography:A Simple CasePublic Key Cryptography Using Digital Signatures and Hash Digests Sender applies a mathematical algorithm(hash function)to a message and then encrypts the message and hash result with recipients public key Sender then encrypts the message and ha
32、sh result with senders private keycreating digital signaturefor authenticity,nonrepudiation Recipient first uses senders public key to authenticate message and then the recipients private key to decrypt the hash result and messageFigure 5.7 Public Key Cryptography with Digital SignaturesDigital Enve
33、lopes Address weaknesses of:Public key cryptography Computationally slow,decreased transmission speed,increased processing time Symmetric key cryptography Insecure transmission lines Uses symmetric key cryptography to encrypt document Uses public key cryptography to encrypt and send symmetric keyFig
34、ure 5.8 Creating a Digital EnvelopeDigital Certificates and Public Key Infrastructure(P K I)Digital certificate includes:Name of subject/company Subjects public key Digital certificate serial number Expiration date,issuance date Digital signature of C A Public Key Infrastructure(P K I):CAs and digit
35、al certificate procedures P G PFigure 5.9 Digital Certificates and Certification AuthoritiesLimitations of P K I Does not protect storage of private key P K I not effective against insiders,employees Protection of private keys by individuals may be haphazard No guarantee that verifying computer of m
36、erchant is secure C A s are unregulated,self-selecting organizationsSecuring Channels of Communication Secure Sockets Layer(S S L)/Transport Layer Security(T L S)Establishes secure,negotiated clientserver session Virtual Private Network(V P N)Allows remote users to securely access internal network v
37、ia the Internet Wireless(Wi-Fi)networks W P A2Figure 5.10 Secure Negotiated Sessions Using S S L/T L SProtecting Networks Firewall Hardware or software that uses security policy to filter packets Packet filters Application gateways Next-generation firewalls Proxy servers(proxies)Software servers tha
38、t handle all communications from or sent to the Internet Intrusion detection systems Intrusion prevention systemsFigure 5.11 Firewalls and Proxy ServersProtecting Servers and Clients Operating system security enhancements Upgrades,patches Anti-virus software Easiest and least expensive way to preven
39、t threats to system integrity Requires daily updatesManagement Policies,Business Procedures,and Public Laws Worldwide,companies spend more than$81 billion on security hardware,software,services Managing risk includes:Technology Effective management policies Public laws and active enforcementA Securi
40、ty Plan:Management Policies Risk assessment Security policy Implementation plan Security organization Access controls Authentication procedures,including biometrics Authorization policies,authorization management systems Security auditFigure 5.12 Developing an E-Commerce Security PlanThe Role of Law
41、s and Public Policy Laws that give authorities tools for identifying,tracing,prosecuting cybercriminals:U S A Patriot Act Homeland Security Act Private and private-public cooperation U S-C E R T C E R T Coordination Center Government policies and controls on encryption software O E C D,G7/G8,Council
42、 of Europe,Wassener ArrangementE-Commerce Payment Systems In U.S.,credit and debit cards are primary online payment methods Other countries have different systems Online credit card purchasing cycle Credit card e-commerce enablers Limitations of online credit card payment Security,merchant risk Cost
43、 Social equityFigure 5.14 How an Online Credit Transaction WorksAlternative Online Payment Systems Online stored value systems:Based on value stored in a consumers bank,checking,or credit card account Example:PayPal Other alternatives:Pay with Amazon Visa Checkout,Mastercards MasterPass Bill Me Late
44、r W U Pay,Dwolla,StripeMobile Payment Systems Use of mobile phones as payment devices Established in Europe and Asia Expanding in United States Apple Pay,Android Pay,Samsung Pay,PayPal,Square Near field communication(N F C)Social/Mobile peer-to-peer payment systems Sending money through mobile app o
45、r website Regulation of mobile wallets and rechargeable cardsDigital Cash and Virtual Currencies Digital cash Based on algorithm that generates unique tokens that can be used in“real”world Example:Bitcoin Virtual currencies Circulate within internal virtual world Example:Linden Dollars in Second Lif
46、e,Facebook Credits Typically used for purchasing virtual goodsInsight on Business:Bitcoin Class Discussion What are some of the benefits of using a digital currency?What are the risks involved to the user?What are the political and economic repercussions of a digital currency?Have you or anyone you
47、know ever used Bitcoin?Electronic Billing Presentment and Payment(E B P P)Online payment systems for monthly bills Over 55%of all bill payments Four E B P P business models:Online banking model(most widely used)Biller-direct Mobile Consolidator All models are supported by E B P P infrastructure providers