You are on page 1of 12


Table of content:
Introduction..... How Online Payment Processing Works. Technologies used for online payment security.. Technologies used by PayPal... Security Flaws... Conclusion. Page 3 Page 4 Page 6 Page 8 Page 9 Page 11

Technology is the basis of our lives. Because of the fast evolution of technology, we depend on it every day. Many people use the internet and computers to do their everyday tasks such as checking their e-mails, paying their bills and buying and selling of goods and services. The growth of the internet has made it an ease for consumers to find their items of purchase, but is no longer cash a viable way for payment. This increase in e-commerce has driven the need to create online payment systems. There are many online payment systems that exist today, for example: of them, PayPal is probably the most popular system. PayPal is an account-based system that allows everyone with an e-mail address to securely send and receive online payments using a credit card or a bank account number. Today there are many websites that accept PayPal as a method of online payment. PayPal uses secure sockets layer Protocol technology to encrypt data and increase security.

Overview of PayPal System :

With todays technology, the internet has become the most important popular place for people who want to buy goods and services. In order for people to do such kind of trading, they need a safe online payment system that they can trust. PayPal is one of the worlds largest online payment systems. PayPal is an example of a payment intermediary service that facilitates worldwide e-commerce. PayPal performs payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It sometimes also charges a transaction fee for receiving money (a percentage of the amount sent plus an additional fixed amount). The fees charged depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient's account type.

Understanding the Payment Processing Network :

In a nutshell, this is a group of connected entities that links together sellers, buyers, and banks. It also facilitates the secure and reliable execution of online transactions. All the entities are interdependent of one another. For example, if you want to accept payments over the internet, you need an internet merchant account with an acquiring bank so you can accept customer credit cards electronically. The customers, in turn, need a bank that issues credit cards and verifies their credit limit and available cash balance for purchases. In addition to the individuals , the other entities that make up the payment processing network include institutions, processes, and serviceswhich are all defined below.

Individuals Merchants : Customer :

Someone who sells goods and services The holder of the credit card or other payment instrument

Institutions Customer Issuing Bank : The institution providing the customers credit card. Acquiring Bank :
Provides the internet merchant accounts required to enable online card authorization and payment processing.

Credit cards Associations : Financial institutions that provide credit card services in concert with credit
card associations such as visa and master card.

Processor : A large data centre that processes credit card transactions and settles funds for merchants. A
processor can either be a bank or a company dedicated to providing these services.

Processors and Services Authorizations:

The process of verifying that the customer credit cards are active and have sufficient available credit limits.

Settlements: Processing authorized transactions to settle funds into a merchants account. Payment Processing Service: A service that connects merchants, customers and banks involved in
online transactions. Sometimes it is referred as the payment gateway.

How Online Payment Processing Works :

Online payment processing consists of two principal steps: authorization and settlement. Authorization verifies that the card is active and the customer has sufficient credit to make the transaction. Settlement is the process of charging the customers card account and transferring money from the customers account to the merchants account. First step: Processing Authorization. During authorization, a bank verifies that your customer paying via credit card has sufficient credit or funds to make a purchase. The graphic below illustrates all the steps involved. 1. Customer decides to purchase online and inputs credit card information. 2. Merchants website receives customer information and sends it to the payment processing service. 3. Processing service routes information to processor.

4. Processor routes information to bank that issued customers credit card. 5. Issuing bank sends authorization (or declination) to processor. 6. Processor routes transaction results to payment processing service. 7. Processing service sends results to merchant. 8. Merchant decides to accept or reject purchase.

Next step: Payment Processing Settlement. Once the merchant has shipped the physical product or authorized the download of digital content, the merchant may request that the payment processing service settle the transaction. During settlement, funds are transferred from the customers account to the merchants bank account, as illustrated below. 1. The merchant informs the payment processing service to settle transactions. 2. The payment processing service sends transactions to processor. 3. The processor checks the information, and forwards settled transaction information to the card association and card-issuing bank. 4. Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank. Funds received for these transactions are sent to the merchants bank account. 5. Acquiring bank credits merchants bank account. 6. Issuing bank includes merchants charge on customers credit card account.

Technologies used for online payment security:

There are a very few different protocols that are used for online security today. The most common security mechanism is the SSl technology. Some others include the TLS and SET. SSL: SSL is a secured socket layer between HTTP and TCP on a web server. It is a transport layer security protocol. It also provides authentication for the merchants server with its digital certificate from a certificate authority. SSL provides with a simple encrypted connection between the clients computer and the merchant server over internet. This encryption creates a virtual information which is not hackable by others. The steps of how SSL works is show in the diagram below:

SSL version 1, a test version, was quickly replaced by SSL version 2 which was the first version , released to the public and was shipped with the Netscape Navigator Browser. Today

version 2 is still supported despite having some security problems. Later, Microsoft came out with its own latest version of SSL called the PCT. SSL version 3 is a complete redesign of SSL and fixes the problem found in the previous versions as well as having additional features. What is the purpose of SSL ? The purpose of SSL is to provide a means to allow secure communication between two parties. However, one party must have a certificate trusted by the other in order to help to prevent man in the middle of the attacks. SSL also supports encryption, authentication and key exchange. How does the SSL work? SSL provides with a security handshake in which the client and the server computers exchange a brief burst of messages. In these messages, they agree upon the level of security they will use to exchange digital certificates and perform other tasks. Each computer unfailingly identifies the other. It is not a problem if the client does not have a certificate, because the client is the one who is sending sensitive information. On the other hand, the server with whom the client is doing is ought to have a valid certificate. Otherwise the client cannot be certain that the commerce site actually belongs to the one whom it refers to. How is SSL implemented? A website implements SSL by using HTTPS, which implies for Hypertext Transfer Protocol over Secured socket Layer. This web protocol was developed by Netscape to encrypt and decrypt page requests as well as the pages that are returned by the web server. HTTPS uses port 443 instead of port 80 which is used for HTTP. SSL uses a key size of 40 bits for the RC4 stream encryption algorithm. This is considered as a sufficient degree of encryption for commercial exchange. Both HTTPS and SSL support the use of x.509 digital certificates from the server. This way the user can authenticate the user if needed. One of SSLs strength is its ability to help to prevent some common attacks.SSL is strong against brute force attack because it uses 128 bits. The dictionary attack which tends to be more efficient than a brute force attack is where an attack tries every word in a dictionary as a possible password for an encrypted message. This attack is also avoidable because SSL has very large key spaces. The replay attack which re-runs messages that were sent earlier is prevented since SSL uses 128 bit ounce value to indicate a unique connection. And as mention earlier the man-in-the middle attack is prevented by using some signed digital certificates to authenticate the servers public key. Despite the fact that SSL has the ability to defend some common attacks, it stills as some weaknesses. One of the weaknesses found in SSL is the brute force attack against weak ciphers. This weakness was forced by the US export on Netscape. This weakness still remains one of the most obvious weaknesses of the SSL protocol and it has broken many times.

Another weakness in SSL is the renegotiation of the master key. It is known that after a connection has been established, the same master key get used all the way through the connection. This could be a serious security flaw if SSL are layered underneath a long running connection. One possible solution for this flaw is to force recognition of the master key at different times. This way, the difficulty and the cost of any brute force attack will be multiplied by the number of times that the master key has changed. TLS: The transaction layer protocol ,commonly known as the TSL, is based SSL and will soon be its successor.TSL has some changes in its MAC, has clearer and more precise specifications, cleaner handling because of not having a client certificate, and more flexibility. SET: Set is a messaging protocol designed by VISA and MasterCard for securing credit card transactions over open networks such as the Internet. In the SET protocol, a transaction has three players the customer, the merchant and the merchants bank. SET protocol has three principle features as listed in the following: All sensitive information sent within the three parties is encrypted. All three parties are required to authenticate themselves with certificates from the SET certificate authority. The merchant never sees the customers card number in plain text.

The third feature actually makes internet commerce more secure than traditional credit card transactions, such as pay by credit in-store, over phone, or through mail order form. It is also more secure than SSL. To implement SET in e-commerce on Internet, it requires the SET point-of-sale client software such as SET electronic wallet implemented widely available to the Internet community.

Technologies used by PayPal :

The technologies used by PayPal consist of the main security mechanisms that most sites would employ. PayPal uses HTTPS and SSL to encrypt the data stream when a user establishes a session with the PayPal site. It is unknown what security mechanisms are used to protect their databases containing information about their customers.

SSL : According to the PayPal website, PayPal encrypts information sent to their website using SSL. It uses an encryption key that is 128-bits long, which is currently the most secured level being used today. Before proceeding, the server checks whether or not the users browser uses SSL 3.0 or higher. PayPal also uses an electronic firewall to protect its data from the internet. Their servers are behind the firewalls and are not directly connected to the internet in order to protect private information from unauthorized computers.

Security Flaws and possible solution :

Popular companies such as Microsoft and PayPal have been attacked by hackers all over the world because of some securities flaws in their system. Despite the fact that PayPal is one of the worlds largest online payment systems, it has some security flaws and weak points. Because of PayPals heavy reliance on SSL as a mean to achieve security, many of their weakness are therefore the weakness of SSL. Hackable Database: One of the attacks on PayPal was done by few experienced hackers from Russia who discovered a serious security flaw in the address confirmation process of PayPals members account. The hacking process was exposed to everyone on the internet in Russian language. It has been confirmed that PayPal had some technical difficulties in fixing the problem mention above, which mean that a lot of PayPal account could be hacked into. E-mail Scams: E-mail scams have been the source of security problem for PayPal. Many users have received e-mails appearing to be from PayPal urging them to click on a link and log in their accounts. The e-mail will first give them a link to access the page show below. The message contains a link that looks like PayPals; however when clicking it, the user will be directed to a website that is in fact not PayPals.

The scam was discovered in late 2002 when a group of people received the following e-mail:

This scam is dangerous because hackers obtain passwords by using false e-mail messages. Third parties hack PayPal accounts, using the passwords obtained, and then log in the account to steal money. They send false e-mails to PayPal users leading them to that the e-mails were sent by PayPal when they are not. Web Spoofing and Client Certificates:
In the e-mail scam shown before, the link is not a PayPal site. Although the link shown is a PayPal site, after clicking on it, the address for the link appears to be different. This may go unnoticed to nave users because the content and images are very similar to the PayPals website. The problem with this is when the user logs in to their account to prevent their account to be cancelled. Since this website is not authentic, the user submits their username and their passwords to an unknown third party. This third party is then able to store the username and password into a database to cause damage to the users accounts. The use of client certificates would help stop web spoofing. However, client side certificates are hardly used, so the practicality of this is not great. PayPal should also protect the images that are displayed on their website such that it cannot be saved or used by the public. This would help prevent attackers from stealing the images to create pages that mirror PayPal in its appearance. 10

Login Attempts: PayPals security relies heavily on user passwords. Although they limit the number of attempts to login, the limit seems pretty high. PayPal limits login attempts to ten accesses before locking the account. While the chances of attackers using brute force to break into account is rather slim, the opportunities are greater than other websites in which a user is limited to three attempts. This is a very significant security issue. If an attacker is able to access a users account, he can wreak havoc by stealing money from the user. An initial solution to this problem is to decrease the limit of login attempts. In addition, PayPal should have another layer of protection after entering a correct password, such as a question that requires a correct answer similar to what is done for password retrieval. Possible Solution:
Other solution that would help with online payment security involves the user to be alert at all times. One possible way to prevent thieves from stealing is to never trust any e-mail coming from PayPal and never click on a link that would take you directly to PayPal from an e-mail. So instead of clicking on the link, its better to go to the website by typing the websites URL. Also it is a good idea to make sure that the URL entered contains https://

Digital Signature: A digital signature is a digital code that is attached to a message that wants to get sent electronically. The digital code identifies the sender of the electronic message. The digital signature technology is a way to prove that the sender of the electronic message is really who claims he is. Thus it is really important that the digital signatures are protected and unbreakable. Conclusion : Technology has inarguably made our lives easier. It has cut across distance, space and even time. One of the technological innovations in banking, finance and commerce is the Electronic online Payments. Online Payments refers to the technological breakthrough that enables us to perform financial transactions electronically, thus avoiding long lines and other hassles. Online Payments provides greater freedom to individuals in paying their taxes, licenses, fees, fines and purchases at unconventional locations and at whichever time of the day, 365 days of the year. On the basis of present study, first remark is that despite the existence of variety of e-commerce paymentsystems, credit cards are the most dominant payment system. This is consequences of advantageous characteristics, most importantly the long established networks and very wide users base.