You are on page 1of 41

E-COMMERCE SECURITY AND

PAYMENT SYSTEMS
BY PUTERI SYAHEERA BINTI JAAFAR
ATIQAH AQILAH BINTI AHMAD MUFIT
NURUL AMIERA SYUHADA BINTI
RAZALI

E-COMMERCE SECURITY AND PAYMENT SYSTEMS

4.3 : TECHNOLOGY SOLUTIONS

Protecting Internet Communications

ENCRYPTION

The process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver

the ordering of the letters in each word is changed in some systematic way . every occurrence of a givenletter is replaced systematically by another letter  In a transposition cipher.Purpose :* To secure stored information * To secure information transmission  In a substitution cipher.

.

.

a) Symmetric Key Encryption  The sender and receiver use the same key to encrypt and decrypt the message  The possibilities for simple substituion & transposition chiphers In commercial are endless :use.you would that these both parties nees a secret key ancient means of share the same for each of the encryption can key parties with be broken quickly whom you transacted . Symmetric key are not all part of computers are so encryption the same powerful and fast requires that team. where we In digital age.

192. The Data Encryption Standard (DES) • • Developes by the National Security Agency(NSA) and IBM Use a 56-bit encryption key  Advanced Encryption Standard (AES) • • Most widely used symmetric key encryption algorithm Offering 128-.and 256-bit keys .

b) Public Key Encryption / Public Key Cryptography .

it can be more complex Even more unique than a handwritten signature Produce a 128-bit number that reflects the number of 0s and 1s Unique to the document and changes for every document .Public Key Encryption Using Digital Signatures and Hash Digest Hash Function Digital Signature An algorithm that produces a fixed-length number called a hash or message digest “signed” cipher text that can be sent over the Internet Function can be simple A close parallel to handwritten signature Count the number of digital 1s in a message.

but public public key key encrypt encrypt and and send send the the symmetric symmetric key key e) e) Digital Digital Certificates Certificates and and Public Public Key Key Infrastructure Infrastructure (PKI) (PKI) .d) d) Digital Digital Envelopes Envelopes  A A technique technique that that uses uses symmetric symmetric encryption encryption for for large large documents.but documents.

Digital Certificate PKI Limitations to Encryption Solutions  There is no guarantee the verifying computer of the merchant is secure  CAs are self-selected organizations seeking to gain access to the business of authorization PGP .

PUBLIC AND PRIVATE KEY IN ENCRYPTION .

SECURING CHANNELS OF COMMUNICATION 1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)  Secure negotiated session A client-server session in which the URL of the requested document.contents of forms and the cookies exchanged are encrypted.along with the contents.  Session Key A unique symmetric encryption key chosen just for this single secure session .

server authentication. SSL/TLS provides data encryption. optional client authentication and message integrity for TCP/IP connections  Protects the integrity of the messages exchanged  Cannot provide irrefutability .

using a variety of VPN protocols * Use authentication and encryption to secure information from unauthorized persons * Reduces the cost of secure communications Wireless (Wi-Fi) Networks Wired Equivalent Privacy ( WEP ) Wifi Protect Access ( WPA) WPA2 – wireless security standard that uses the AES algorithm for encryption and CCMP.Virtual Private Networks (VPNs) * Allows remote users to securely access a corporation’s local area network via the Internet. .

Firewalls  Refer to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy  Controls traffic to and from servers and clients  Forbidding communication from untrustworthy sources  Allowing other communications from trusted sources to proceed  Can filter traffic based on packet attributes .PROTECTING NETWORKS 1.

2 Major method firewalls Packet filters Application gateways .

Proxy Servers  Software server that handles all communications originating from or being sent to the Internet  Called dual-home systems because they have two network interfaces  To internal computers known as the gateway  To external computers known as a mail server or numeric address .2.

with the additional ability to take steps to prevent and block suspicious activities .watching to see if it matches certain patterns or preconfigured rules indicative of an attack Instrusion prevention system (IPS) Has all the functionality of an IDS.Instrusin Detection and Preventation Systems Instrusion detection system (IDS) Examines network traffic.

PROTECTING SERVERS AND CLIENTS 1. Operating System Security Enhancements  To take advantage of automatic computer security upgrades  Users can easily download these security patches for free 2. Anti-Virus Software  Prevent by simply keeping server and client operating systems and applications up to date  Easiest and least-expensive way to prevent threats to system integrity is to install anti-virus software  Anti-virus programs can be set up so that email attachments are inspected before click on .

4. AND PUBLIC LAWS .4 .MANAGEMENT POLICIES. BUSINESS PROCEDURES.

companies are expected to spend over $65 billion on security hardware. software and services (Gartner.• Worldwide.2013) • Public laws and active enforcement of cybercrime statues are required to both raise the costs of illegal behavior on internet and guards against corporate abuse of information . in 2013.

A security plan: Management Policies • To minimize security threats. . e-commerce firm must develop coherent corporate policy that takes into .

Figure 4.12 DEVELOPING AN ECOMMERCE SECURITY PLAN .

Risk assessment – an assessment of the risk and points of vulnerability  First step: to inventory the information and knowledge assets of the e-commerce site and company.  Example of information risk: Customer information.A security plan begins with. 1. secret process and other internal information. proprietary designs. business activities. .

identifying acceptable risk targets.  Example risk assessment : who generates and control this information in this firm? What existing security policies? and etc .  Second step: Determined to be the highest priority in risk assessment.Security policy – a set statements prioritizing the information risks. and identifying the mechanism for achieving these targets.

.  Need an organizational unit in charge of security and a security officer . technologies. policies. Implementation plan – The steps will take a achieve the security plan goals  Third step: Determine the levels of acceptable risk into a set of tools. and procedures.

 Access control – determine which outsider and insiders can gain legitimate access to networks.The security organization educates and trains users. passwords. Outsider : Access controls firewalls and proxy servers Insider : Login procedures (username. and access codes) . keep management aware of security threats and breakdowns and maintain tools chosen to implement security.

 Authentication procedures – use of digital signatures.  Biometric devices – its verify physical attributes associates with an individual such as fingerprint or retina (eye) scan or speech recognition system. . certificates of authority.

. Security Audit.  Many small firms have sprung up in the last five years to provide these service to large corporate sites. Security tokens – are physical devices or software that generate an identifier that can use in addition or place password  Authorization policies – differing levels of access to information assets Authorization management systems: when user is permitted to access certain parts of website 5.the routine review the access logs (identifying how outsider using site as well)  Monthly report should be produce the activities patterns.

S government create a deterrent to further hacker action  By making such actions federal crimes .  Majority of states now require companies maintain personal data on their residents  By increasing the punishment of cybercrimes .S .THE ROLE OF LAWS AND PUBLIC POLICIES  Voluntary and private efforts have played a very large role in identifying criminal hackers and assisting law enforcement. .Government is able extradite international hackers and prosecute them within the U.U. .

Table 4.S E-COMMERCE SECURITY LEGISLATION AND REGULATION .5 U.

PRIVATE AND PRIVATE-PUBLIC COOPERATION EFFORTS  Several organization – some private and some public are devoted to tracking down criminal organizations and individual attack against internet  Private organization CERT Coordination Center at Carnegie Mellon University. .Assist organization in identifying.CERT monitors and track online criminal activity . .

means to preventing crime and terrorism  Four organization have influenced the international traffic in encryption software : .GOVERNMENT POLICIES AND CONTROLS ON ENCRYPTION SOFTWARE  United States. both Congress and the executive branch have sought to regulate the uses of encryption and to restrict availability and export of encryption system.

ATIQAH . AMIERA.BY PUTERI.

E-COMMERCE SECURITY AND PAYMENT SYSTEMS 4.4 .TECHNOLOGY SOLUTIONS MANAGEMENT POLICIES.3 4. BUSINESS PROCEDURES. AND PUBLIC LAWS - .

List 4 key dimension of e-commerce security 2. List out the steps of developing an ecommerce security plan. .QUESTIONS 1. Explain what is firewall in protecting network ? 3.

•. Firewall in protecting network : •. Perform a risk assessment •. Develop a security policy •. •. Perform a security audit . Create a security organization •.ANSWERS 1. Controls traffic to and from servers and clients • Forbidding communication from untrustworthy sources 3. 4 key of dimension of e-commerce security : Message intergrity Nonrepudiation Authentication Confidential 2. •. •. Steps of developing an ecommerce security plan. •. Develop a implementation plan •.

BY PUTERI. AMIERA . ATIQAH.