You are on page 1of 12


....Table of content: Introduction……………………………………………………………….. How Online Payment Processing Works……………………………………. Technologies used for online payment security……………………………. Technologies used by PayPal………………………………………………. Security Flaws……………………………………………………………….. Page 3 Page 4 Page 6 Page 8 Page 9 Page 11 2 ... Conclusion……………………………………………………………………..

if you want to accept payments over the internet. Overview of PayPal System : With today’s technology. Many people use the internet and computers to do their everyday tasks such as checking their e-mails. PayPal performs payment processing for online vendors. In addition to the individuals . and banks. the country of the recipient. paying their bills and buying and selling of goods and services. you need an internet merchant account with an acquiring bank so you can accept customer credit cards electronically. need a bank that issues credit cards and verifies their credit limit and available cash balance for purchases. The growth of the internet has made it an ease for consumers to find their items of purchase. All the entities are interdependent of one another. in turn. The customers. auction sites. PayPal is probably the most popular system. the other entities that make up the payment processing network include institutions. and services—which are all defined below. PayPal is one of the world’s largest online payment systems. PayPal uses secure sockets layer Protocol technology to encrypt data and increase security. Understanding the Payment Processing Network : In a nutshell. It also facilitates the secure and reliable execution of online transactions. For example. for example: of them. There are many online payment systems that exist today. and other commercial users. Today there are many websites that accept PayPal as a method of online payment. PayPal is an example of a payment intermediary service that facilitates worldwide e-commerce. The fees charged depend on the currency used. In order for people to do such kind of trading. It sometimes also charges a transaction fee for receiving money (a percentage of the amount sent plus an additional fixed amount).Introduction: Technology is the basis of our lives. the payment option used. this is a group of connected entities that links together sellers. they need a safe online payment system that they can trust. we depend on it every day. processes. Because of the fast evolution of technology. the amount sent and the recipient's account type. the internet has become the most important popular place for people who want to buy goods and services. 3 . but is no longer cash a viable way for payment. buyers. PayPal is an account-based system that allows everyone with an e-mail address to securely send and receive online payments using a credit card or a bank account number. for which it charges a fee. This increase in e-commerce has driven the need to create online payment systems. the country of the sender.

Processor : A large data centre that processes credit card transactions and settles funds for merchants. 3. Payment Processing Service: A service that connects merchants. Credit cards Associations : Financial institutions that provide credit card services in concert with credit card associations such as visa and master card. Sometimes it is referred as the payment gateway. Settlements: Processing authorized transactions to settle funds into a merchant’s account. Settlement is the process of charging the customer’s card account and transferring money from the customer’s account to the merchant’s account. During authorization. How Online Payment Processing Works : Online payment processing consists of two principal steps: authorization and settlement. 2. Acquiring Bank : Provides the internet merchant accounts required to enable online card authorization and payment processing. A processor can either be a bank or a company dedicated to providing these services. Customer decides to purchase online and inputs credit card information. Authorization verifies that the card is active and the customer has sufficient credit to make the transaction. 4 .Individuals Merchants : Customer : Someone who sells goods and services The holder of the credit card or other payment instrument Institutions Customer Issuing Bank : The institution providing the customer’s credit card. 1. The graphic below illustrates all the steps involved. Processors and Services Authorizations: The process of verifying that the customer credit cards are active and have sufficient available credit limits. a bank verifies that your customer paying via credit card has sufficient credit or funds to make a purchase. Processing service routes information to processor. Merchant’s website receives customer information and sends it to the payment processing service. First step: Processing Authorization. customers and banks involved in online transactions.

The processor checks the information. Merchant decides to accept or reject purchase. funds are transferred from the customer’s account to the merchant’s bank account. 4. Processor routes information to bank that issued customer’s credit card. the merchant may request that the payment processing service settle the transaction. 5 . Issuing bank includes merchant’s charge on customer’s credit card account. Once the merchant has shipped the physical product or authorized the download of digital content. 6. During settlement. Issuing bank sends authorization (or declination) to processor. The payment processing service sends transactions to processor. as illustrated below. 5. and forwards settled transaction information to the card association and card-issuing bank. 8. The merchant informs the payment processing service to settle transactions. Funds received for these transactions are sent to the merchant’s bank account. Next step: Payment Processing Settlement. Processor routes transaction results to payment processing service. 3. 2. Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank. Acquiring bank credits merchant’s bank account. 7.4. Processing service sends results to merchant. 5. 6. 1.

This encryption creates a virtual information which is not hackable by others. The most common security mechanism is the SSl technology. SSL: SSL is a secured socket layer between HTTP and TCP on a web server. It also provides authentication for the merchant’s server with its digital certificate from a certificate authority.Technologies used for online payment security: There are a very few different protocols that are used for online security today. It is a transport layer security protocol. released to the public and was shipped with the Netscape Navigator Browser. Some others include the TLS and SET. a test version. was quickly replaced by SSL version 2 which was the first version . SSL provides with a simple encrypted connection between the client’s computer and the merchant server over internet. Today 6 . The steps of how SSL works is show in the diagram below: SSL version 1.

509 digital certificates from the server. One of SSL’s strength is its ability to help to prevent some common attacks. This weakness was forced by the US export on Netscape. It is not a problem if the client does not have a certificate. because the client is the one who is sending sensitive information. On the other hand. The replay attack which re-runs messages that were sent earlier is prevented since SSL uses 128 bit ounce value to indicate a unique connection. one party must have a certificate trusted by the other in order to help to prevent man in the middle of the attacks. What is the purpose of SSL ? The purpose of SSL is to provide a means to allow secure communication between two parties. This attack is also avoidable because SSL has very large key spaces. This web protocol was developed by Netscape to encrypt and decrypt page requests as well as the pages that are returned by the web server. How is SSL implemented? A website implements SSL by using HTTPS. One of the weaknesses found in SSL is the brute force attack against weak ciphers. 7 . the server with whom the client is doing is ought to have a valid certificate. SSL uses a key size of 40 bits for the RC4 stream encryption algorithm. Later.SSL is strong against brute force attack because it uses 128 bits. The dictionary attack which tends to be more efficient than a brute force attack is where an attack tries every word in a dictionary as a possible password for an encrypted message. Both HTTPS and SSL support the use of x. Despite the fact that SSL has the ability to defend some common attacks. Each computer unfailingly identifies the other. And as mention earlier the man-in-the –middle attack is prevented by using some signed digital certificates to authenticate the server’s public key. HTTPS uses port 443 instead of port 80 which is used for HTTP. This is considered as a sufficient degree of encryption for commercial exchange. they agree upon the level of security they will use to exchange digital certificates and perform other tasks. However. it stills as some weaknesses. Microsoft came out with its own latest version of SSL called the PCT. This weakness still remains one of the most obvious weaknesses of the SSL protocol and it has broken many times. SSL version 3 is a complete redesign of SSL and fixes the problem found in the previous versions as well as having additional features. This way the user can authenticate the user if needed. In these messages. How does the SSL work? SSL provides with a security handshake in which the client and the server computers exchange a brief burst of messages. which implies for Hypertext Transfer Protocol over Secured socket Layer.version 2 is still supported despite having some security problems. Otherwise the client cannot be certain that the commerce site actually belongs to the one whom it refers to. SSL also supports encryption. authentication and key exchange.

This could be a serious security flaw if SSL are layered underneath a long running connection.Another weakness in SSL is the renegotiation of the master key.TSL has some changes in its MAC. the merchant and the merchant’s bank. over phone. the same master key get used all the way through the connection. a transaction has three players – the customer. the difficulty and the cost of any brute force attack will be multiplied by the number of times that the master key has changed. PayPal uses HTTPS and SSL to encrypt the data stream when a user establishes a session with the PayPal site. SET protocol has three principle features as listed in the following:    All sensitive information sent within the three parties is encrypted. and more flexibility. To implement SET in e-commerce on Internet. All three parties are required to authenticate themselves with certificates from the SET certificate authority. The third feature actually makes internet commerce more secure than traditional credit card transactions. SET: Set is a messaging protocol designed by VISA and MasterCard for securing credit card transactions over open networks such as the Internet. It is also more secure than SSL. or through mail order form. One possible solution for this flaw is to force recognition of the master key at different times. 8 . This way. It is unknown what security mechanisms are used to protect their databases containing information about their customers. such as pay by credit in-store. Technologies used by PayPal : The technologies used by PayPal consist of the main security mechanisms that most sites would employ.commonly known as the TSL. it requires the SET point-of-sale client software such as SET ―electronic wallet‖ implemented widely available to the Internet community. TLS: The transaction layer protocol . In the SET protocol. is based SSL and will soon be its successor. has clearer and more precise specifications. cleaner handling because of not having a client certificate. It is known that after a connection has been established. The merchant never sees the customer’s card number in plain text.

the server checks whether or not the user’s browser uses SSL 3. Before proceeding. PayPal encrypts information sent to their website using SSL. The hacking process was exposed to everyone on the internet in Russian language. many of their weakness are therefore the weakness of SSL. PayPal also uses an electronic firewall to protect its data from the internet. however when clicking it. It uses an encryption key that is 128-bits long.SSL : According to the PayPal website. The scam was discovered in late 2002 when a group of people received the following e-mail: 9 . Many users have received e-mails appearing to be from PayPal urging them to click on a link and log in their accounts. Hackable Database: One of the attacks on PayPal was done by few experienced hackers from Russia who discovered a serious security flaw in the address confirmation process of PayPal’s members’ account. The message contains a link that looks like PayPal’s. It has been confirmed that PayPal had some technical difficulties in fixing the problem mention above. which mean that a lot of PayPal account could be hacked into. E-mail Scams: E-mail scams have been the source of security problem for PayPal. The e-mail will first give them a link to access the page show below. Because of PayPal’s heavy reliance on SSL as a mean to achieve security. which is currently the most secured level being used today. the user will be directed to a website that is in fact not PayPal’s. Their servers are behind the firewalls and are not directly connected to the internet in order to protect private information from unauthorized computers. it has some security flaws and weak points.0 or higher. Security Flaws and possible solution : Popular companies such as Microsoft and PayPal have been attacked by hackers all over the world because of some securities flaws in their system. Despite the fact that PayPal is one of the world’s largest online payment systems.

using the passwords obtained. The problem with this is when the user logs in to their account to prevent their account to be cancelled. This would help prevent attackers from stealing the images to create pages that mirror PayPal in its appearance. the address for the link appears to be different. They send false e-mails to PayPal users leading them to that the e-mails were sent by PayPal when they are not. so the practicality of this is not great. Although the link shown is a PayPal site. The use of client certificates would help stop web spoofing. 10 . after clicking on it.This scam is dangerous because hackers obtain passwords by using false e-mail messages. Since this website is not authentic. the user submits their username and their passwords to an unknown third party. This may go unnoticed to naïve users because the content and images are very similar to the PayPal’s website. client side certificates are hardly used. PayPal should also protect the images that are displayed on their website such that it cannot be saved or used by the public. Web Spoofing and Client Certificates: In the e-mail scam shown before. Third parties hack PayPal accounts. and then log in the account to steal money. However. This third party is then able to store the username and password into a database to cause damage to the users’ accounts. the link is not a PayPal site.

One possible way to prevent thieves from stealing is to never trust any e-mail coming from PayPal and never click on a link that would take you directly to PayPal from an e-mail. most importantly the long established networks and very wide users base. This is a very significant security issue. he can wreak havoc by stealing money from the user. finance and commerce is the Electronic online Payments. thus avoiding long lines and other hassles. such as a question that requires a correct answer similar to what is done for password retrieval. the limit seems pretty high. Conclusion : Technology has inarguably made our lives easier. fees. PayPal should have another layer of protection after entering a correct password. The digital code identifies the sender of the electronic message. The digital signature technology is a way to prove that the sender of the electronic message is really who claims he is. first remark is that despite the existence of variety of e-commerce paymentsystems. licenses. While the chances of attackers using brute force to break into account is rather slim. PayPal limits login attempts to ten accesses before locking the account. An initial solution to this problem is to decrease the limit of login attempts. it’s better to go to the website by typing the website’s URL. Also it is a good idea to make sure that the URL entered contains https:// Digital Signature: A digital signature is a digital code that is attached to a message that wants to get sent electronically. If an attacker is able to access a user’s account. 11 .Login Attempts: PayPal’s security relies heavily on user passwords. This is consequences of advantageous characteristics. It has cut across distance. Online Payments refers to the technological breakthrough that enables us to perform financial transactions electronically. credit cards are the most dominant payment system. 365 days of the year. Possible Solution: Other solution that would help with online payment security involves the user to be alert at all times. fines and purchases at unconventional locations and at whichever time of the day. Online Payments provides greater freedom to individuals in paying their taxes. the opportunities are greater than other websites in which a user is limited to three attempts. space and even time. One of the technological innovations in banking. So instead of clicking on the link. In addition. Thus it is really important that the digital signatures are protected and unbreakable. Although they limit the number of attempts to login. On the basis of present study.

12 .