Online Security & Technology Solutions

Good E-commerce Security

Burglary, breaking and entering, embezzlement, trespass, malicious destruction, vandalism-all crimes in a traditional commerce environment is present in E-commerce too Reducing risks in e-commerce is complex and involves
New laws and industry standards New technology solutions Organizational Policies and procedures

E-Commerce Security Environment

Dimensions of E-commerce security

Integrity- refers to the ability to ensure that the information being displayed on a website or transmitted or received over the internet has not been altered in any way by an unauthorized party Non-repudiation-Ability to ensure that the e-commerce participants do not deny their online actions. Eg: It is easy for a customer to order merchandise online and later deny it. As merchants do not get a physical copy of the signature, credit card issuer will side the customer Authenticity- is ability to identify the identity of a person or entity with whom you are dealing on the internet Confidentiality- ability to ensure that messages and data are available only to those who are authorized to view them Privacy- the ability to control the use of information about oneself Availability-The ability to ensure that an e-commerce site continues to function as intended

Security Threats in an E-commerce Environment

3 points of vulnerability
Client Server Communications pipeline

Typical E-commerce transaction

Vulnerable points in an Ecommerce environment

Most common security threats

Malicious code
Viruses- computer program that has the ability to replicate or make copies of itself, and spread it to other files Worms-Instead of spreading from file to file, a worm is designed to spread from computer to computer. Not necessary to be activated by user or program Trojan horses- not itself a virus, but is a way for viruses or other malicious code such as bots to enter a s/m Bots-Bot is a type of malicious code that can be covertly installed on a computer when attached to the internet. Once installed, the BOT responds to external commands sent by the attacker Botnets- Collection of captured bot computers

Unwanted programs
Browser parasites-program that can monitor and change the settings of a users browser Spyware-program used to obtain information such as users keystrokes, e-mail, instant messages and so on

Most Common Security Threats

Phishing Deceptive online attempt by third party to obtain confidential information for financial gain e-mail scams, spoofing legitimate Web sites Eg: of an email scam a rich former minister of Nigeria is seeking a bank account to stash millions of dollars for a short period of time and requests your bank account number where the money can be depositedknown as Nigerian letter scam Use information to commit fraudulent acts (access checking accounts), steal identity

Hacking and cybervandalism Hackers vs. crackers (Hacker is an individual who intends to gain unauthorized access to a computer system, Cracker is someone within the hacking community, used to denote a hacker with criminal intent) Cyber vandalism: intentionally disrupting, defacing, destroying Web site

Types of hackers: white hats, black hats, grey hats

White hats are good hackers who help organizations locate and fix security flaws Black hats are hackers who act with the intention of causing harm Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flows

Credit card fraud/theft

Fear of stolen credit card information deters online purchases Hackers target merchant servers; use data to establish credit under false identity Online companies at higher risk than offline Spoofing: misrepresenting self by using fake e-mail address or masquerading as someone else Pharming: spoofing a Web site, which involves redirecting a web link to an address different from the intended one, with the site masquerading as the intended destination Spam/junk Web sites- sites that promise to offer some product/service, but in fact are a collection of advertisements for other sites

Denial of service (DoS) attack

Hackers flood site with useless traffic to inundate and overwhelm network DoS attacks cause a website to shut down, making it impossible for users to access the site

Distributed denial of service (DDoS) attack

Hackers use multiple computers to attack target network from numerous launch points

Sniffing
Eavesdropping program that monitors information traveling over a network When used legitimately, they help identify potential network trouble-spots

Email wiretraps are a variation of sniffing. A hidden code in an e-mail message allows someone to monitor all succeeding messages forwarded with the original msg

Insider jobs
Single largest financial threat Bank employees steal more money than bank robbers Employees have access to privileged information, and when the internal security is poor, they are able to roam through the organizations network without leaving a trace

Poorly designed server and client software

Technology Solutions
Protecting Internet communications (encryption) Securing channels of communication (SSL, S-HTTP, VPNs) Protecting networks (firewalls) Protecting servers and clients

Encryption Transforms plain text or data into cipher text readable only by sender and receiver Purpose of encryption is
To secure stored information To secure information transmission A key or cipher is used to transform plain text into cipher text Substitution Cipher- Every occurrence of a given letter is systematically replaced by another letter Transposition Cipher-The ordering of the letters in each word is changed in some systematic way

Provides 4 of 6 key dimensions of e-commerce security:

1. 2. 3. 4.

Message integrity Non-repudiation Authentication Confidentiality

Symmetric Key Encryption

Sender and receiver use same digital key to encrypt and decrypt message Key has to be sent over some communication media or exchange the key in person Requires different set of keys for each transaction ie one key for the bank, one for the dept store and one for the govt Strength of encryption Length of binary key used to encrypt data Advanced Encryption Standard (AES) Most widely used symmetric key encryption Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits Data Encryption Standard (DES)-developed by National Security Agency and IBM. Uses a 56-bit encryption key

Public Key Encryption

Invented by Whitfield Diffie and Martin Hellman Uses two mathematically related digital keys
1. 2.

Public key (widely disseminated) Private key (kept secret by owner)

Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message Sender uses recipients public key to encrypt message; recipient uses his/her private key to decrypt it

Public Key Cryptography

Public Key Encryption Using Digital Signatures and Hash Digests

In public key encryption, there is no guarantee that sender is truly the sender as there is no authentication of the sender Hash function: an algorithm that produces a fixed-length number called a hash or message digest STEPS Sender creates an original message Sender applies a hash fn, producing a 128 bit hash result Sender encrypts the msg and hash result using recipients public key Sender encrypts the result with senders pvt key Result of this double encryption sent over the internet The receiver uses the senders public key to authenticate the msg Receiver then uses his/her pvt key to decrypt the hash fn and the orig. msg Receiver checks to ensure that the msg and hash results conform to each other

Public Key cryptography using Digital signature

Digital Signature
To ensure the authenticity and to ensure non-repudiation, the sender encrypts the entire block of cipher text one more time using senders private key This produces a digital signature or esignature or signed cipher text A digi: signature is close to a handwritten signature and changes for every document

Digital Envelope
Addresses weaknesses of: Public key encryption
Computationally slow, decreased transmission speed, increased processing time

Symmetric key encryption

Symmetric key to be sent to the recipient over insecure transmission lines

Uses symmetric key encryption to encrypt document

The symmetric key- which the recipient will require to decrypt the document is itself encrypted, using the recipients public key-Key within a key (Digital Envelope)
The encrypted report and the digital envelope is sent across the web The recipient uses his/her pvt key to decrypt the symmetric key, and the recipient uses the symmetric key to decrypt the report Method saves time because encryption and decryption are faster with symmetric keys

Creating a Digital Envelope

Digital Certificates and PKI

Anyone can make up a private-public key combination and claim to be someone that they are not Digital certificate includes a digital document issued by a certification company
Name of subject/company Subjects public key Digital certificate serial number Expiration date, issuance date Digital signature of certification authority (trusted third party institution) that issues certificate

Public Key Infrastructure- CAs and digital certificate procedures that are accepted by all parties

Limitations of Encryption solutions

Doesnt protect storage of private key PKI not effective against insiders, employees Protection of private keys by individuals may be haphazard No guarantee that verifying computer of merchant is secure CAs are unregulated, self-selecting organizations

Securing Channels of Communication

Secure Sockets Layer (SSL):
Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, is encrypted
For Eg: the debit/credit card number entered into a form may be encrypted. Through a series of handshakes and communications, the browser and the server establish one anothers identity by exchanging digital certificates, decide on the encryption, and proceed to continue using an agreed-upon session key Session key is a unique symmetric encryption key chosen for a single secure session

Securing Channels of Communication

S-HTTP:
Provides a secure message-oriented communications protocol designed for use in conjunction with HTTP

Virtual Private Network (VPN):

Allows remote users to securely access internal network via the Internet, using Point-to-Point Tunneling Protocol (PPTP) PPTP is an encoding mechanism that allows one local network to connect to another using the Internet

Protecting Networks
Firewall Hardware or software that filters communication packets Prevents some packets from entering the network based on security policy Controls traffic to and from servers and clients, forbidding communications from untrustworthy sources Two main methods:
1.

Packet filters-Examine data packets to determine whether they are destined for a prohibited port or originate from a prohibited IP address Application gateways-Firewall that filters communications based on the application being requested, rather than the source or destination of the msg

2.

Proxy servers (proxies)

Software servers that handle all communications originating from or being sent to the Internet
Limit access of internal clients to external internet servers

Proxy Servers
When a user on an internal network requests a web page, the request is routed first to proxy server Proxy server validates the user and the nature of the request, then sends the request to the internet Web page sent by the external internet first passes through the proxy and if acceptable, it passes through the internal n/w web server to the clients desktop Proxy servers also improve web performance by storing frequently requested pages locally, reducing upload times They hide the internal network address, making it difficult for hackers to break

Firewalls and Proxy Servers

E-Commerce Security Plan

Security Plan
An assessment of the risks and points of vulnerability is done Security policy is defined-a set of stmts prioritizing the info: risks, identifying acceptable risk targets, and identifying the mechanisms for achieving the targets Implementation Plan-Action steps to achieve security goals To implement the plan, an organizational unit is formed-Security Organization Educates and trains users Maintains the tools chosen to implement security And keeps mgmt informed of the threats and breakdowns Security Review involves routine review of access logs

Payment Systems

Types of Payment Systems

Cash
Most common form of payment in terms of number of transactions Cash is a legal tender defined by a national authority to define value Instantly convertible into other forms of value without intermediation Eg: Pvt organizations create a form of cash called scrip that is easily redeemed by participating organizations for goods or cash

Electronic Payment Systems

Banking and financial payments
Whole payment or large scale (bank to bank transaction) Retail or small scale (ATM) Home banking (bill payment)

Retail Payments
Credit cards Pvt label credit or debit cards

Online e-business Payments

Electronic token-based payment system
Electronic cash Electronic cheques Smart cards

Credit card-based payment systems

Encrypted credit cards Third party Authorization

Electronic token-based electronic payment systems

E-token is recognized as eqt. of cash and is backed by banks Types
Cash or real-time:The cash transaction is completed with the exchange of electronic currency eg:e-cash Debit or pre-paid: Users have to pay in advance for any product or services. Eg: Smart cards and Electronic purses
A smart card is a plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use Electronic purse is a variant of smart card which contains credit/debit applications

Credit or post-paid: A central server verifies the customer and checks with the bank whether funds are sufficient before any interchanges are made

E-cash or Digital Cash

Form of electronic payment system based on encryption Before a product is bought or services availed, cash is obtained from a currency server Safety of e-cash is scrutinized by digital signature To purchase e-cash
Establishing an account Keeping an adequate amt of money in the bank to back the purchase

Working of E-cash
2. Transfer money Currency Server 7. Credit merchant account

Consumer Bank

Merchants Bank 3. Send e-cash

6. Return e-cash

1. Request to obtain 4. Send e-cash Consumer 5. Delivery of goods Merchant

Electronic Cheques
Programmed to accept individuals or a group who prefers to pay on credit or through some method, but not cash Functions as a msg to the senders bank to transfer funds, and the msg is given to the receiver, who in turn endorses the cheque and presents it to the bank to obtain funds

Working of e-cheques
Consumers Bank
7. Forward cheque 6. Forward cheque 3. Validates cheques

Merchants Bank

8. Account update

Clearing House

5. Forward to bank

1. Accesses server and presents goods

Consumer Browser

2. Selects goods and pays e-cheque 4. Closes transaction

Merchant system

Smart cards
They contain microprocessors that are able to hold more information than cards based on the traditional magnetic strips 2 types of smart cards
Relationship-based smart credit card Electronic purse and debit cards
Smart with programmable microchips that store a specified monetary value inside them When the balance on a purse is empty, it can be recharged with more money

Relationship based smart credit card

A customer is able to access many accounts such as credit, debit, investments or stored value of e-cash Payment of bills, transfer of funds, access to cash is made possible Can also provide access to ATMs, interactive TVs, PC etc

Credit Card
When a customer buys a product or avails a service, the details of the credit card are given to the seller of goods or to the service providers involved The credit card provider makes the payment Credit card transactions simply requires that the consumer have a legitimate credit card number, expiration date and a PIN (Personal Identification Number) PIN prevent the misuse of card in case stolen Credit card system can be divided into 3 categories
Payment by furnishing details of credit card Payment by providing encrypted details of the credit card Payment made on the basis of verification by third party