E-Commerce

E-commerce Security and

Payment Systems

Dr. Mufassra Naz

 Cyberwar
n What is the difference between hacking and
cyberwar?
n Why has cyberwar become more potentially
devastating in the past decade?
n Why has Google been the target of so many
cyberattacks?
n Is it possible to find a political solution
The E-commerce Security Environment
 Dimensions of E-commerce Security
n Integrity ensures that info sent and received has not
been altered by unauthorized party
n Nonrepudiation ability to ensure that participants do
not deny (repudiate) their online actions
n Authenticity ability to identify the person’s identity
with whom you are dealing with over the internet
n Confidentiality authorized to be seen by those who
should view it
n Privacy ability to control who sees your info
n Availability e-commerce site functions as intended
 The Tension Between Security and Other Values
n Ease of use
v The more security measures added, the more
difficult a site is to use, and the slower it
becomes
v Security costs money and too much of it can
reduce profitability
n Public safety and criminal uses of the
Internet
v Use of technology by criminals to plan crimes or
threaten nation-state
 Security Threats in E-commerce Environment
n Three key points of susceptibility in
e-commerce environment:
1. Client
2. Server

3. Communications pipeline (Internet

communications channels)
A Typical E-commerce Transaction
Vulnerable Points in an E-commerce
Transaction
 Most Common Security Threats in the
E-commerce Environment
n Malicious code (malware, exploits)
v Drive-by downloads malware that comes with a
downloaded file the user intentionally or unintentionally
request Viruses
v Worms spread from computer to compter without
human intervention
v Ransomware a software of cyber criminals use to block
your own data. It encrypt the files on your system and
add extensions to the attacked data and hold it “hostage”.
v Trojan horses appear benign but is a way to introduce
viruses into a computer system
v Threats at both client and server levels
 Most Common Security Threats in the
E-commerce Environment
n Malicious code (malware, exploits)
v Backdoors introduce viruses, worms, etc. that allow an
attacker to remotely access a computer
v Botnets are a collection of captured bot computers or
zombies used to send spam, DDoS attacks, steal
information from computers, and store network traffic
for later analysis.
v Bots, as in robots, are malicious code that can be
covertly installed on a computer when connected to the
internet. Once installed, they respond to external
commands from the attacker
 Most Common Security Threats (cont.)
n Potentially unwanted programs (PUPs)
v Example Vista antispyware 2013 infects computers running Vista
v Browser parasites changes your computer settings
v Adware displays calls for pop-up ads when you visit sites
v Spyware may be used to obtain information such as keystrokes,
email, IM etc.

n Phishing
v Social engineering relies on human curiosity, greed, and gullibility
to trick users into taking action that results into downloading
malware
v E-mail scams
v Spear-phishing spear phishing messages appear to come from a
trusted source
v Identity fraud/theft
 Most Common Security Threats (cont.)
n Hacking
v Hackers gain unauthorized access
n White hat role is to help identify and fix
vulnerabilities
n Black hat intent on causing hard
n Grey hat breaks in to expose flaws and report them
without disrupting the company. They may even try
to profit from the event
v Crackers have criminal intent
v Hacktivist are politically motivated (Green
Peace)
 Most Common Security Threats (cont.)
n Cyber-vandalism:
v Disrupting, defacing, destroying Web site
n Data breach
v Losing control over corporate information to
outsiders
 Most Common Security Threats (cont.)
n Credit card fraud/theft
n Spoofing involves attempting to hide a true identity
by using someone else’s email or IP address
n Pharming automatically directing a web link to a fake
address
n Spam (junk) Web sites (link farms) promise to offer
products but are just full of ads
n Identity fraud/theft involves unauthorized/illegal
use of another person’s data
 Most Common Security Threats (cont.)
n Denial of service (DoS) attack Hackers flood site with
useless traffic to overwhelm network
n Distributed denial of service (DDoS) attack uses
numerous computers to launch attacks on sites or
computers systems. The attack comes from several
locations
 Most Common Security Threats (cont.)
n Sniffing, a sniffer is a type of eavesdropping program
that monitors information traveling over a network
n Insider attacks caused by employees
n Poorly designed server and client software leads to SQL
injection attacks by taking advantage of poorly coded
applications that fails to validate data entered by web users
n Zero-Day vulnerability software vulnerability that is reported
or unreported but no current fix exists
n Social network security issues like forgetting to log out,
connecting with strangers, exposing too much information
 Most Common Security Threats (cont.)
n Mobile platform security issues
v Vishing works like phishing but does not always occur
over the Internet and is carried out using voice
technology. Vishing attacks are a type of social
engineering fraud where a fraudster convinces the user
to provide critical information over the phone.
v Smishing exploits SMS/text messages that may contain
links and other personal info that may be exploited
v Madware is innocent looking apps containing adware
that launches unwanted pop-up ads and text messages
on you mobile device (mobile + adware = madware)
n Cloud security issues example, DDoS attacks threaten the
availability and viability of cloud services
 Technology Solutions
n Protecting Internet communications
v Encryption altering plain text so that it cannot be read
by anyone other than the sender & receiver
v It provides security for 4 of 6 security dimensions
n Integrity by ensuring the messages has not been
tampered with
n Nonrepudiation by preventing users from denying
they sent the message
n Authentication by verifying the person’s identity or
computer sending the message
n Confidentiality by ensuring the message was not
read by others
 Types of Encryption
n Cipher is disguised way of writing; a code where
letters of the message are replaced systematically by
another letter
n Transportation cipher ordering the letters in some
systematic way e.g., reverse order, or 2 letters ahead
n Symmetric key both sender and receiver use the
same key to encrypt and decrypt the message. The
key is sent over a secure line or exchanged in person
 Symmetric Key Encryption
n Sender and receiver use same digital key to encrypt and
decrypt message
v Requires sophisticated mechanisms to securely
distribute the secret-key to both parties
n Requires different set of keys for each transaction
n Strength of encryption
v Length of binary key used to encrypt data
n Data Encryption Standard (DES)
n Advanced Encryption Standard (AES)
v Most widely used symmetric key encryption
v Uses 128, 192, and 256-bit encryption keys
n Other standards use keys with up to 2,048 bits
 Types of Encryption
n Public Key there are two mathematically related keys,
a public key and private key.
v Private key kept secretly by owner and public key disseminated to the
public.
v Both keys are used to encrypt and decrypt the message. Once the keys
are used, they can no longer be used to unencrypt the message.
n Hash function creates a fixed length number that
replaces the original message, then the hash is used to
recreate the message on the recipient side
n Digital signature is a signed cipher text sent over the
internet
 Types of Encryption
n Digital envelope uses symmetric encryption for large
docs
n Digital certificate (DC) issues by trusted 3rd party
known as certification authority that contains (the
subject name, public key, digital cert serial #, exp date,
issuance date and digital signature)
v There are various types of certs (personal, institutional, web server,
software publ, and Certificate Authority (CA))
n Key infrastructure (PKI) when you sign into a secure
site you see the “s” or the lock which means the site
has a digital certificate issued by a CA
 Technology Solutions
n Securing channels of communication
v Secure Socket Layer; a secure negotiated
session is a client server session in which the
URL of the requested doc, its contents, and
cookies are encrypted
n A unique symmetric encryption session key is
chosen for each session
v VPNs allow computers to securely communicate
via tunneling by adding invisible encrypted
wrappers around messages to hide their
contents
 Technology Solutions
n Protecting networks
v Firewalls are hard/software that filters
communication packets and prevent
unauthorized access
v They filter traffic based on packets, IP address,
type of service http, www, domain name etc
 Protecting Servers and Clients
n Operating system security
enhancements
v Upgrades, patches

n Anti-virus software
v Easiest and least expensive way to prevent
threats to system integrity
v Requires daily updates
 A Security Plan: Management Policies
n Risk assessment
n Security policy
n Implementation plan
v Security organization
v Access controls
v Authentication procedures, including biometrics
v Authorization policies, authorization management
systems
n Security audit provides ability to audit access
logs for security breaches and unauthorized
use
Developing an E-commerce Security Plan
E- Payment System
 Types of Payment Systems
n Cash
v Most common form of payment
v Instantly convertible into other forms of value
v No float

n Checking transfer
v Second most common payment form in United States

n Credit card
v Credit card associations (VISA, Mastercard)
v Issuing banks
v Processing centers are clearing houses.
 Types of Payment Systems (cont.)
n Stored value
v Funds deposited into account, from which funds
are paid out or withdrawn as needed (PayPal)
v Debit cards, gift certificates
v Peer-to-peer payment systems (PayPal)

n Accumulating balance
v Accounts that accumulate expenditures and to
which consumers make period payments
v Utility, phone
 Payment System Stakeholders
n Consumers
v Low-risk, low-cost, refutable, convenience, reliability

n Merchants
v Low-risk, low-cost, irrefutable, secure, reliable

n Financial intermediaries
v Secure, low-risk, maximizing profit

n Government regulators
v Security, trust, protecting participants and enforcing
reporting
 E-commerce Payment Systems
n USA
v 53% of online payments via credit / debit cards

n Europe
v 49% of online payments via credit / debit cards

n Limitations of online credit card

payment
v Security, merchant risk
v Cost
v Social equity
How an Online Credit Transaction Works
 Alternative Online Payment Systems
n Online stored value systems:
v Based on value stored in a consumer’s bank,
checking, or credit card account
v Example: PayPal

n Other alternatives:
v Amazon Payments
v Google Pay (checkout / wallet)
v Bill Me Later (Now PayPal)
 Digital Cash / Virtual Currency
n Digital cash
v Based on algorithm that generates unique
tokens that can be used in “real” world
v The most successful and widely-used form
of digital money is the cryptocurrency Bitcoin.
v Digital money is exchanged using technologies
such as smartphones, credit cards, and online
cryptocurrency exchanges.
v In some cases, it can be transferred into
physical cash, for example by withdrawing cash
from an ATM.
 Electronic Billing Payment and
Presentment (EBPP)
n Online payment systems for monthly bills
n 50% of all bill payments
n Two competing EBPP business models:
v Biller-direct (dominant model)
v Consolidator or 3rd party like your bank

n Both models are supported by EBPP

infrastructure providers