09 Security and Payment Systems

Bachelor: E-Commerce
9. Security and Payment Systems

Prof. Dr. Jella Pfeiffer
BWL XII: Digitalisierung, E-Business und Operations Management
BWL XII: Digitalisierung, E-Business und Operations

Prof. Dr. Jella Pfeiffer 1
Management
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Learning Goals
• Understand the scope of E-Commerce crime

and security problems, the key dimensions of
E-Commerce security, and the tension
between security and other values.
• Identify the key security threats in the
E-Commerce environment.
• Describe how technology helps secure
internet communication channels and protect
networks, servers, and clients.
• Identify the major E-Commerce payment
systems in use today.

Management
Structure of Class
AND BEYOND
STAYING New Trends in

SUCCESSFUL E-Commerce (VR, AR,
BECOMING mobile)
SUCCESSFUL How to stay safe and

secure in the e-
WHAT TO DO commerce
How to implement and
measure an e-commerce environment?
HOW DOES IT What is offered in business‘ success? Security and Payment
e-commerce? Implementation and User System
WORK Products and Services Evaluation
in Electronic How do companies
How does it Commerce How do customers digitally trade with one
technically work? behave and what do we another?
Technologies, How do e-commerce learn from their reviews? B2B Commerce
Standards and companies create Customers in E-
Architecture value? Commerce
E-Commerce Business
Models How to get the
customer‘s attention?
E-Commerce Marketing
and Advertising
© Katemangostar/Freepik
Management
Case: The rise of the global cyberattack

 WannaCry and NotPetya Read Case: Laudon and Traver (2019) pp. 232 - 235
 Are ransomware:
 Programs that infiltrate information systems and encrypt these
 The key for this encryption is released only after a ransom (usually in bitcoin) has been paid
 WannaCry affected
• ticket vending machines in Germany
• Renault manufacturing plants in France, and the
• NHS (National Health Service) in the UK
- 19,000 appointments were canceled or postponed
- entire hospitals had to close down for days
 NotPetya
 Is similar to WannaCry but it is a wiper
 it appears that offenders never intended to decrypt affected systems again, i.e., all data are lost
 Both WannaCry and NotPetya made use of an error in Windows which the National Security Agency in
the US knew about already, but never released to Microsoft

Management
Motivation
 Cyber crime
 Offenders apply schemes known from legal E-Commerce practices
• Offenders work on their reputation (e.g., group behind Wannacry)
• But “black sheep” take advantage of other’s reputation (e.g. group behind NotPetya - i.e., a
wiper)
• Malware kits as a service
• Pay per install (of malware at victims’ systems)
• Offenders provide help (e.g., online chats/hotlines) to guide victims through the “check-out
process”
 Estimations say that ≥50% of larger corporations and administrations pay ransom
https://www.heise.de/select/ct/2018/2/1515455905443518
last accessed 2019 12 02
https://www.heise.de/security/meldung/Petya-NotPetya-Kein-
Erpressungstrojaner-sondern-ein-Wiper-3759293.html last
accessed 2019 12 02

Management
Motivation
 Prices for online banking login details
 25 USD for US bank accounts
(line of credit 10,000 USD)
 175 USD for German bank account
(line of credit 7,500 USD)
 (the higher the credit rating of a victim
the higher the price for the details)
 Prices for distributed denial of service attacks
 25 USD per hour for “conventional”
websites with installed DDoS
countermeasures
 150 USD per hour for military/
governmental and banking websites
 Prices for exploit kits (e.g., ransomware kits)
 daily rental $80-$100 https://www.heise.de/newsticker/meldung/Studie-zu-Darknet-Preisen-
 weekly rental $500-$700 Daten-von-Europaeern-sind-teuer-4560072.html last accessed 2019 12 02
https://www.heise.de/newsticker/meldung/Mit-Arbeitsvertrag-und-
Hotline-Drogenhandel-im-Netz-wird-professioneller-4544310.html last
 monthly rental $1,400-$2,000 accessed 2019 12 02

Management
Agenda
• 1 The E-Commerce security environment
• 2 Security threats in E-Commerce
• 3 Security countermeasures in E-Commerce
• 4 E-Commerce payment systems
7
The E-Commerce security environment
 Scope of the problem

Overall size of and losses due to cybercrime unclear
• Global economic impact of cybercrime and cyberespionage between
$455 billion to $600 billion
• Reports by security product providers indicate increasing cybercrime
Online credit card fraud one of the most high-profile forms
 Underground economy marketplaces sell stolen information,
malware and more
Laudon and Traver (2019) pp. 232 - 318

Management
How to achieve good E-Commerce security?

The E-Commerce security environment:
Other factors
 Time value of information
 Cost of security versus potential loss
 Security often breaks at weakest link

Management
Perspectives on different dimensions of

E-Commerce security
Dimension Customer’s Perspective Merchant’s Perspective
Has data on the site been altered without
Has information I transmitted or
Integrity authorization? Is data being received from customers
received been altered?
valid?
Non- Can a party to an action with me later deny taking the
Can a customer deny ordering products?
repudiation action?
Who am I dealing with? How can I be assured that the
Authenticity What is the real identity of the customer?
person or entity is who they claim to be?
Can someone other than the intended recipient read Are confidential data accessible to anyone other than
Confidentiality
my messages? those authorized to view them?
What use can be made of the personal data collected
Can I control the use of information about myself
Privacy as part of an E-Commerce transaction? Is it being used
transmitted to an E-Commerce merchant?
in an unauthorized manner?
Availability Can I get access to the site? Is the site operational?
Laudon and Traver (2019) pp. 241-242

Management
The tension between security and other values
Ease of use Public safety and criminal

The more security measures uses of the Internet
added, the more difficult a Use of technology by
site is to use, and the slower criminals to plan crimes or
it becomes threaten nation-state
https://www.bbc.com/news/business-51115645

Management
Action Time

Management
Agenda
14
Security threats in the E-Commerce environment

Three key points of vulnerability in E-Commerce environment:
 Client
 Server
 Communications pipeline (Internet communications channels)

Management
Insider attacks
Largest threat to business institutions come from insider embezzlement
 Bank employees steal a lot more money than bank robbers
 This holds for E-Commerce employees
 Employee access to privileged information
 Poor security procedures
=> Insiders more likely to be source of attacks than outsiders
Laudon and Traver (2019) p. 260

Management
Outsider attacks
 Hackers versus crackers
 Hacker: someone who aims to gain unauthorized access to a system
 Cracker: same as a hacker, but with criminal intent
 Note: often times both terms are used interchangeably
 White hats and tiger teams
 “good hackers”, companies hire these to test own security setup
 Grey hats
 Pursue the same activities as white hats but without any compensation
 Grey hats discover weaknesses and publish these without disrupting any system
 Sometimes hacktivists (hackers with a political agenda) are referred to as grey hats (e.g.,
WikiLeaks)
 Black hats
 Hackers with malicious intentions, such as: data breaches and cybervandalism (i.e., disrupting,
defacing, destroying web sites)
Laudon and Traver (2019) pp. 252-253

Management
Some selected security threats

 Phishing
 Thefts and Frauds
 Malicious code
 Potentially Unwanted Programs (PUPS)
 Denial of service (DoS) and distributed denial of service (DDoS) attacks

Management
Phishing
Phishing D
Any deceptive, online attempt by a third party
to obtain confidential information for financial
gain. Laudon and Traver (2019) p. 250
 Tactics
 Social engineering
 E-mail scams and business e-mail compromise
phishing
 Spear phishing
 Used for identity fraud and theft

Management
Thefts and frauds

Data breaches
Organization’s loss of control over sensitive information to outsiders
 E.g., Yahoo and Facebook
 Leading causes
 Hacking (60% of breaches)
 Unauthorized access (11%)
 Employee error/negligence (10%)
Credit card fraud/theft

Stolen credit card incidences about 0.9% of web transactions and about 0.8% of mobile
transactions
 Leading causes
 Hacking and looting of corporate servers
 Central security issue
 establishing customer identity (e.g., e-signatures, multi-factor authentication, fingerprint identification)
Laudon and Traver (2019) p. 253-256
Management
Action Time

Management
Malicious code
 Exploits and exploit kits
 Drive-by downloads
 Viruses/worms/Trojan horses
 Ransomware
 Backdoors
 Bots, botnets
 Malvertising
 online ads (e.g. within an app) that contain malicious code, or
 link to malicious websites

Management
Potentially Unwanted Programs (PUPS)

 Rogue Security Software
 Browser parasites
 Monitor and change user’s browser
 Adware
 Used to call pop-up ads
 Spyware
 Tracks users keystrokes, e-mails, IMs, etc.
 Bitcoin miner software

Management
Denial of service (DoS) and distributed denial of

service (DDoS) attacks
 Denial of service (DoS) attack
 Flooding website with pings and page request
 Overwhelm and can shut down site’s web servers
 Often accompanied by blackmail attempts
 Botnets
 Distributed denial of service (DDoS) attack

 Uses hundreds or thousands of computers to attack target network
 Can use devices from Internet of Things (e.g., fridges, etc.), mobile devices
 DDoS smoke-screening
 Threat to cloud services

Management
Internet of things security issues

 Challenging environment to protect
 Vast quantity of interconnected links
 Near identical devices with long service lives
 Many devices have no upgrade features
 Little visibility into workings, data, or security
 => any digital system is vulnerable to attacks
Watch minute 10:00 to 13:30:

https://www.youtube.com/watch?v=JSWPoeBLFyQ

Management
Optional Reading
Case: Think your smartphone is secure?
Laudon and Traver (2019) p. 264-

265
https://www.theguardian.com/technology/2020/jan/21/am
azon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

Management
Action Time

Management
Agenda
30
Technology solutions available to secure

E-Commerce
 Protecting Internet
communications
 Encryption
 SSL, TLS, VPN, Wi-Fi
 Protecting networks,
servers and clients
 Firewalls, proxy servers, IDS,
IPS
 OS security, anti-virus
software

Management
Cryptography
Encryption
 Transforms data into cipher text readable only by those with the right keys
 Secures stored information and information transmission
 Provides 4 of 6 key dimensions of E-Commerce security:
 Integrity
 Nonrepudiation
 Authentication
 Confidentiality
plain text cipher text plain text

encryption decryption

Management
Symmetric key cryptography

 Sender and receiver use same key for (de-)cryption
 Strength and weaknesses
 Comparatively short binary keys provide strong security
 Difficult to exchange keys (securely)
Alice Bob
K Puplic environment
M=Message
Secure channel Ek= Encryption with Key K
Dk= Decryption with Key K
M EK(M ) M=DK(EK (M ))

Management
Public key cryptography (a.k.a. asymmetric key

cryptography)
 Uses two mathematically related digital keys and one-way irreversible
function
 Public key (widely disseminated), PK
 Private/Secret key (kept secret by the owner), SK
 Usually with the public key cryptography
 Sender uses a recipient’s public key to encrypt a message, and
 Recipient uses his/her private key to decrypt the message
Alice Bob
Puplic environment PK Secret Key (SK)
M EPK( M ) M =DSK(EPK(M ))
Management
Secure negotiated session in E-commerce (SSL/TLS)

with assymetric enrcyption with Session Key
Bob
Alice
K PK SK (secret key)
asymmetric Ea,PK(K ) asymmetric

encryption decryption K = Da,SK(Ea,PK(K ))
M symmetric Es,K(M ) symmetric M =Ds,K (Es,K(M ))

M=Message
K= session key
Ea,PK(K)= assymetric encryption with key PK of session key
key K
Management
Public key cryptography using digital signatures

and hash digests
Sender
1. applies a mathematical algorithm (hash function) to a message
2. encrypts the message + hash with recipient’s public key
3. encrypts the already encrypted message with his/her own private key (by this means the
sender creates a digital signature to ensure authenticity, and nonrepudiation)
Recipient
1. uses the sender’s public key and
2. uses his/her own private key to decrypt the hash result and the message

Management
Protecting networks
Firewall
 Hardware or software that uses security
policy to filter packets
Proxy servers (proxies)
 Software servers that handle all
communications from or sent to the
internet
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)

Management
Securing Channels of Communication

• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Establishes secure, negotiated client-server session
• Virtual Private Network (VPN)
• allows remote users to securely access internal network via the Internet
• uses both authentication and encryption
• VPN protocol establishes the link between client to the corporate network as
if user had dialed into the corporate network directly
• Wireless (Wi-Fi) networks
• WPA2
• WPA3

Management
Protecting servers and clients
 Operating system security enhancements

 Upgrades, patches
 Anti-virus software
 Easiest and least expensive way to prevent threats to system integrity
 Requires daily updates
Laudon and Traver (2019) pp. 232 - 318 (ch. 4)

Management
Optional Reading
Case: Are biometrics the solution for E-Commerce

security?
 Biometrics such as a face scan and fingerprints are
 unique and
 easy to use Laudon and Traver (2019) p. 285-286
 What do you think?
“The fingerprints of over 1 million people, as well as facial recognition

information, unencrypted usernames and passwords, and personal
information of employees, was discovered on a publicly accessible
database for a company used by the likes of the UK Metropolitan
police, defense contractors and banks.” The Guardian, Aug 2019
https://www.theguardian.com/technology/2019/aug/
14/major-breach-found-in-biometrics-system-used-
by-banks-uk-police-and-defence-firms last accessed
2019 12 02
Management
Agenda
41
E-Commerce payment systems

 In the U.S., credit and debit cards
are the primary online payment
methods
 Different in other countries
 Limitations of online credit card
payment
 Security, merchant risk
 Cost
 Social equity
Which of the following methods do you

prefer to use when you pay for a product
you've bought online? (German market)
Laudon and Traver (2019) pp 292
https://www.statista.com/statistics/434341/e-commerce-
popular-payment-methods-germany/
Management
The process of an online credit card transaction

1. Consumer makes purchase
2. SSL/TLS provides secure connection
through internet to merchant server
3. Merchant software from the merchant
server contacts clearinghouse through a
secure line
4. Clearinghouse verifies account and
balance with consumer’s card issuing bank
5. The issuing bank credits merchant
account in the merchant bank
6. The issuing bank issues a monthly
statement with debit for purchase to the
consumer.
Management
Alternative online payment systems

 Online stored value systems:
 Based on value stored in a consumer’s bank, checking, or credit card account
 Example: PayPal, Amazon Pay, Visa Checkout, Mastercard’s MasterPass, Dwolla, ...
 Payment with mobile devices (e.g., phones, watches, ...)
 Established in Europe and Asia
 Expanding in United States
 Based on near field communication (NFC) technology
 Types
Universal proximity mobile wallets, e.g., Apple Pay, Google Pay, Samsung Pay, PayPal Mobile,
etc.
Branded store proximity wallets, e.g., by Walmart, Target, Starbucks, etc.
P2P mobile payment apps, e.g., as Zelle, Venmo
 Payment with mobile service, e.g., WeChat, Whatsapp, ...
Management
Optional Reading
Case: Alipay and WeChat Pay
 Chinese tech companies Alibaba and
Tencent lead the mobile payment market
 96% of Chinese consumers used a mobile
payment app within the last six months
and 85% prefer them to other payment
methods
https://www.businessinsider.nl/alipay-wechat-pay-
china-mobile-payments-street-vendors-musicians-
2018-5/?international=true&r=US

Management
Cryptocurrencies
 Examples
 Bitcoin, Ethereum/Ether, Ripple, Litecoin, Monero, ...
 Cryptocurrencies
 are a purely digital medium of exchange
 are based on blockchain technology and cryptography
 are (slowly) gaining acceptance, and
 have been banned by some governments, due to
 wide fluctuations of their value, and due to
 major issues with theft and fraud

Management
Summary
Security and Payment Systems
 security is complex: it requires three main elements: special
technology, organizational rules and procedures, and laws and
industry standard
 you learned about
 the scope of E-Commerce crime and security problems,
 that any digital information system can be compromised, and about
 the key dimensions of E-Commerce security,
 and the tension between security and other values.
 Further we discussed
 means to secure data and online communication and
 major E-Commerce payment systems in use today
Outlook:
 B2B-Business

Management
Readings and Literature

Readings
Laudon, K. C., and Traver, C.G. 2019. E-commerce 2019: business. technology. society (15th global ed.).
Pearson, pp. 232 – 318
Literature
Fottrell, Q. (2019) Silicon Valley’s final frontier for payments ‘The neoliberal takeover of the human body’.
MarketWatch.
https://www.marketwatch.com/story/the-technology-that-should-finally-make-your-wallet-obsolete-2019-09-06/print

Management
Thanks for Your Attention

Management
Blockchain
 Blockchain
 Permits to create and verify transactions nearly
instantaneously using a distributed peer-to-peer
database
 Reduces costs of verifying users, validating
transactions, and risks of storing and processing
transaction information
 Transactions cannot be altered retroactively and
therefore are more secure
 Blockchain is the foundation technology for

 cryptocurrencies
 supply chain management
 potential applications in financial services and
healthcare industries
Management

09 Security and Payment Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

09 Security and Payment Systems

Uploaded by

Copyright:

Available Formats

Bachelor: E-Commerce

9. Security and Payment Systems

BWL XII: Digitalisierung, E-Business und Operations

• Understand the scope of E-Commerce crime

BWL XII: Digitalisierung, E-Business und Operations

STAYING New Trends in

SUCCESSFUL How to stay safe and

Case: The rise of the global cyberattack

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

• 2 Security threats in E-Commerce

• 3 Security countermeasures in E-Commerce

• 4 E-Commerce payment systems

The E-Commerce security environment

 Scope of the problem

Laudon and Traver (2019) pp. 232 - 318

BWL XII: Digitalisierung, E-Business und Operations

How to achieve good E-Commerce security?

Laudon and Traver (2019) pp. 232 - 318

BWL XII: Digitalisierung, E-Business und Operations

Perspectives on different dimensions of

BWL XII: Digitalisierung, E-Business und Operations

The tension between security and other values

Ease of use Public safety and criminal

Laudon and Traver (2019) pp. 242 - 243

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

• 2 Security threats in E-Commerce

• 3 Security countermeasures in E-Commerce

• 4 E-Commerce payment systems

Security threats in the E-Commerce environment

BWL XII: Digitalisierung, E-Business und Operations

=> Insiders more likely to be source of attacks than outsiders

Laudon and Traver (2019) p. 260

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

Some selected security threats

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

Thefts and frauds

Credit card fraud/theft

BWL XII: Digitalisierung, E-Business und Operations

Laudon and Traver (2019) p. 244-248

BWL XII: Digitalisierung, E-Business und Operations

Potentially Unwanted Programs (PUPS)

Laudon and Traver (2019) p. 248-249

BWL XII: Digitalisierung, E-Business und Operations

Denial of service (DoS) and distributed denial of

 Distributed denial of service (DDoS) attack

BWL XII: Digitalisierung, E-Business und Operations

Internet of things security issues

Watch minute 10:00 to 13:30:

BWL XII: Digitalisierung, E-Business und Operations

Laudon and Traver (2019) p. 264-

BWL XII: Digitalisierung, E-Business und Operations

BWL XII: Digitalisierung, E-Business und Operations

• 2 Security threats in E-Commerce

• 3 Security countermeasures in E-Commerce

• 4 E-Commerce payment systems

Technology solutions available to secure

BWL XII: Digitalisierung, E-Business und Operations

plain text cipher text plain text