Professional Documents
Culture Documents
Learning Goals
Structure of Class
AND BEYOND
Are ransomware:
Programs that infiltrate information systems and encrypt these
The key for this encryption is released only after a ransom (usually in bitcoin) has been paid
WannaCry affected
• ticket vending machines in Germany
• Renault manufacturing plants in France, and the
• NHS (National Health Service) in the UK
- 19,000 appointments were canceled or postponed
- entire hospitals had to close down for days
NotPetya
Is similar to WannaCry but it is a wiper
it appears that offenders never intended to decrypt affected systems again, i.e., all data are lost
Both WannaCry and NotPetya made use of an error in Windows which the National Security Agency in
the US knew about already, but never released to Microsoft
Motivation
Cyber crime
Offenders apply schemes known from legal E-Commerce practices
• Offenders work on their reputation (e.g., group behind Wannacry)
• But “black sheep” take advantage of other’s reputation (e.g. group behind NotPetya - i.e., a
wiper)
• Malware kits as a service
• Pay per install (of malware at victims’ systems)
• Offenders provide help (e.g., online chats/hotlines) to guide victims through the “check-out
process”
Estimations say that ≥50% of larger corporations and administrations pay ransom
https://www.heise.de/select/ct/2018/2/1515455905443518
last accessed 2019 12 02
https://www.heise.de/security/meldung/Petya-NotPetya-Kein-
Erpressungstrojaner-sondern-ein-Wiper-3759293.html last
accessed 2019 12 02
Motivation
Prices for online banking login details
25 USD for US bank accounts
(line of credit 10,000 USD)
175 USD for German bank account
(line of credit 7,500 USD)
(the higher the credit rating of a victim
the higher the price for the details)
Prices for distributed denial of service attacks
25 USD per hour for “conventional”
websites with installed DDoS
countermeasures
150 USD per hour for military/
governmental and banking websites
Prices for exploit kits (e.g., ransomware kits)
daily rental $80-$100 https://www.heise.de/newsticker/meldung/Studie-zu-Darknet-Preisen-
weekly rental $500-$700 Daten-von-Europaeern-sind-teuer-4560072.html last accessed 2019 12 02
https://www.heise.de/newsticker/meldung/Mit-Arbeitsvertrag-und-
Hotline-Drogenhandel-im-Netz-wird-professioneller-4544310.html last
monthly rental $1,400-$2,000 accessed 2019 12 02
7
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Other factors
Time value of information
Cost of security versus potential loss
Security often breaks at weakest link
https://www.bbc.com/news/business-51115645
Action Time
14
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Insider attacks
Largest threat to business institutions come from insider embezzlement
Bank employees steal a lot more money than bank robbers
This holds for E-Commerce employees
Employee access to privileged information
Poor security procedures
Outsider attacks
Hackers versus crackers
Hacker: someone who aims to gain unauthorized access to a system
Cracker: same as a hacker, but with criminal intent
Note: often times both terms are used interchangeably
White hats and tiger teams
“good hackers”, companies hire these to test own security setup
Grey hats
Pursue the same activities as white hats but without any compensation
Grey hats discover weaknesses and publish these without disrupting any system
Sometimes hacktivists (hackers with a political agenda) are referred to as grey hats (e.g.,
WikiLeaks)
Black hats
Hackers with malicious intentions, such as: data breaches and cybervandalism (i.e., disrupting,
defacing, destroying web sites)
Laudon and Traver (2019) pp. 252-253
Phishing
Phishing D
Any deceptive, online attempt by a third party
to obtain confidential information for financial
gain. Laudon and Traver (2019) p. 250
Tactics
Social engineering
E-mail scams and business e-mail compromise
phishing
Spear phishing
Used for identity fraud and theft
Action Time
Malicious code
Exploits and exploit kits
Drive-by downloads
Viruses/worms/Trojan horses
Ransomware
Backdoors
Bots, botnets
Malvertising
online ads (e.g. within an app) that contain malicious code, or
link to malicious websites
Optional Reading
Case: Think your smartphone is secure?
https://www.theguardian.com/technology/2020/jan/21/am
azon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
Action Time
30
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Cryptography
Encryption
Transforms data into cipher text readable only by those with the right keys
Secures stored information and information transmission
Provides 4 of 6 key dimensions of E-Commerce security:
Integrity
Nonrepudiation
Authentication
Confidentiality
Alice Bob
K Puplic environment
M=Message
Secure channel Ek= Encryption with Key K
Dk= Decryption with Key K
M EK(M ) M=DK(EK (M ))
encryption decryption
M EPK( M ) M =DSK(EPK(M ))
encryption decryption
BWL XII: Digitalisierung, E-Business und Operations
Prof. Dr. Jella Pfeiffer 34
Management
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Bob
Alice
K PK SK (secret key)
M=Message
K= session key
Ea,PK(K)= assymetric encryption with key PK of session key
key K
BWL XII: Digitalisierung, E-Business und Operations
Prof. Dr. Jella Pfeiffer 35
Management
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Recipient
1. uses the sender’s public key and
2. uses his/her own private key to decrypt the hash result and the message
Protecting networks
Firewall
Hardware or software that uses security
policy to filter packets
Proxy servers (proxies)
Software servers that handle all
communications from or sent to the
internet
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
https://www.theguardian.com/technology/2019/aug/
14/major-breach-found-in-biometrics-system-used-
by-banks-uk-police-and-defence-firms last accessed
2019 12 02
Laudon and Traver (2019) pp. 232 - 318 (ch. 4)
BWL XII: Digitalisierung, E-Business und Operations
Prof. Dr. Jella Pfeiffer 40
Management
Agenda
• 1 The E-Commerce security environment
41
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
https://www.statista.com/statistics/434341/e-commerce-
popular-payment-methods-germany/
BWL XII: Digitalisierung, E-Business und Operations
Prof. Dr. Jella Pfeiffer 42
Management
JUSTUS-LIEBIG-UNIVERSITÄT GIESSEN
Optional Reading
Case: Alipay and WeChat Pay
Chinese tech companies Alibaba and
Tencent lead the mobile payment market
Laudon and Traver (2019) p. 309
96% of Chinese consumers used a mobile
payment app within the last six months
and 85% prefer them to other payment
methods
https://www.businessinsider.nl/alipay-wechat-pay-
china-mobile-payments-street-vendors-musicians-
2018-5/?international=true&r=US
Cryptocurrencies
Examples
Bitcoin, Ethereum/Ether, Ripple, Litecoin, Monero, ...
Cryptocurrencies
are a purely digital medium of exchange
are based on blockchain technology and cryptography
are (slowly) gaining acceptance, and
have been banned by some governments, due to
wide fluctuations of their value, and due to
major issues with theft and fraud
Summary
Security and Payment Systems
security is complex: it requires three main elements: special
technology, organizational rules and procedures, and laws and
industry standard
you learned about
the scope of E-Commerce crime and security problems,
that any digital information system can be compromised, and about
the key dimensions of E-Commerce security,
and the tension between security and other values.
Further we discussed
means to secure data and online communication and
major E-Commerce payment systems in use today
Outlook:
B2B-Business
Literature
Fottrell, Q. (2019) Silicon Valley’s final frontier for payments ‘The neoliberal takeover of the human body’.
MarketWatch.
https://www.marketwatch.com/story/the-technology-that-should-finally-make-your-wallet-obsolete-2019-09-06/print
Blockchain
Blockchain
Permits to create and verify transactions nearly
instantaneously using a distributed peer-to-peer
database
Reduces costs of verifying users, validating
transactions, and risks of storing and processing
transaction information
Transactions cannot be altered retroactively and
therefore are more secure