Chapter 5

E-commerce Security
and Payment Systems
Introduction
Some of the major trends in online security in 2020–2021
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

THE SCOPE OF THE PROBLEM

 Cybercrime is becoming a more significant problem for both

organizations and consumers.
 Bot networks, DDoS attacks, Trojans, phishing, ransomware, data theft,
identity fraud, credit card fraud, and spyware are just some of the threats
that are making daily headlines.
 Social networks also have had security breaches
 Online credit card fraud is one of the most high-profile forms of
e-commerce crime
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

The Underground Economy Marketplace: The Value of Stolen

Information
 Criminals who steal information on the Internet do not always use this
information themselves, but instead derive value by selling the
information to others on the so-called underground or shadow
economy
market, also sometimes referred to as the Dark Web or the Darknet.
 Cybercrime against e-commerce sites is dynamic and changing all the
time, with new risks appearing almost daily
 The managers of e-commerce sites must prepare for an ever-changing
variety of criminal assaults, and keep current in the latest security
techniques
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

WHAT IS GOOD E-COMMERCE SECURITY?

5.1. THE E-COMMERCE SECURITY ENVIRONMENT

WHAT IS GOOD E-COMMERCE SECURITY?

 Reducing risks in e-commerce is a complex process that involves new

technologies, organizational policies and procedures, and new laws and
industry standards that empower law enforcement officials to investigate
and prosecute offenders
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

DIMENSIONS OF E-COMMERCE SECURITY

 There are six key dimensions to e-commerce security:

1. Integrity: the ability to ensure that information being displayed on a

website or transmitted or received over the Internet has not been
altered in any way by an unauthorized party

2. Nonrepudiation: the ability to ensure that e-commerce participants do

not deny (i.e., repudiate) their online actions
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

DIMENSIONS OF E-COMMERCE SECURITY

 There are six key dimensions to e-commerce security:

3. Authenticity: the ability to identify the identity of a person or entity with

whom you are dealing on the Internet

4. Confidentiality: the ability to ensure that messages and data are

available only to those who are authorized to view them
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

DIMENSIONS OF E-COMMERCE SECURITY

 There are six key dimensions to e-commerce security:

5. Privacy: the ability to control the use of information about oneself

6. Availability: the ability to ensure that an e-commerce site continues to

function as intended
5.1. THE E-COMMERCE SECURITY ENVIRONMENT

THE TENSION BETWEEN SECURITY AND OTHER VALUES

 Security versus Ease of Use

 Public Safety and the Criminal Uses of the Internet

5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
 From a technology perspective, there are three key
points of vulnerability when dealing with e-commerce:
the client, the server, and the communications pipeline

 a number of the most common and most damaging

forms of security threats to e-commerce consumers and
site operators
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
1. Malicious code (malware): includes a variety of threats
such as viruses, worms, Trojan horses, and bots

2. Potentially unwanted program (PUP): program that

installs itself on a computer, typically without the user’s
informed consent

3. Phishing: any deceptive, online attempt by a third party

to obtain confidential information for financial gain

4. Hacker: an individual who intends to gain unauthorized

access to a computer system
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
4. Cybervandalism: intentionally disrupting, defacing, or
even destroying a site

5. Data breach: occurs when an organization loses control

over corporate information, including the personal
information of customers and employees, to outsiders

6. Theft of credit card data is one of the most feared

occurrences on the Internet

7. Spoofing: involves attempting to hide a true identity by

using someone else’s e-mail or IP address
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
8. Pharming: automatically redirecting a web link to an
address different from the intended one, with the site
masquerading as the intended destination

9. Spam (junk) websites: also referred to as link farms;

promise to offer products or services, but in fact are just
collections of advertisements

10. Identity fraud: involves the unauthorized use of another

personal data for illegal financial benefit
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
11. Sniffer: a type of eavesdropping program that monitors
information traveling over a network

12. Denial of Service (DoS) attack: flooding a website with

useless traffic to inundate and overwhelm the network
Distributed Denial of Service (DDoS) attack: using
numerous computers to attack the target network from
numerous launch points

13. Insider attacks: the largest financial threats to business

institutions come not from robberies but from
embezzlement by insiders
5.2. SECURITY THREATS IN THE
E-COMMERCE ENVIRONMENT
14. Poorly designed software

15. Social network security issues: viruses, site takeovers,

identity fraud, malware-loaded apps, click hijacking,
phishing, and spam are all found on social networks

16. Mobile platform security issues: as with social network

members, mobile users are prone to thinking they are in
a shared, trustworthy environment

17. Cloud security issues: the move of so many Internet

services into the cloud also raises security risks.
5.3. TECHNOLOGY SOLUTIONS

 The first line of defense against the wide variety of e-commerce security
threats is a set of tools that can make it difficult for outsiders to invade
or destroy a site.
5.3. TECHNOLOGY SOLUTIONS

PROTECTING INTERNET COMMUNICATIONS

1. Encryption: the process of transforming plain text or data into cipher

text that cannot be read by anyone other than the sender and the
receiver

2. Network Security Protocols: Secure Sockets Layer (SSL) was the original
protocol enabling secure communications over the Internet

3. Virtual private network (VPN): allows remote users to securely access

internal networks via the Internet, using the Point-to-Point Tunneling
Protocol (PPTP)
5.3. TECHNOLOGY SOLUTIONS

PROTECTING INTERNET COMMUNICATIONS

4. Firewall: refers to either hardware or software that filters communication

packets and prevents some packets from entering the network based on
a security policy

5. Proxy server (proxy): software server that handles all communications

originating from or being sent to the Internet, acting as a spokesperson
or bodyguard for the organization
5.3. TECHNOLOGY SOLUTIONS

PROTECTING INTERNET COMMUNICATIONS

6. Intrusion detection system (IDS): examines network traffic, watching to

see if it matches certain patterns or preconfigured rules indicative of an
attack
Intrusion prevention system (IPS): has all the functionality of an IDS,
with the additional ability to take steps to prevent and block suspicious
activities

7. Anti-Virus Software: The easiest and least expensive way to prevent

threats to system integrity is to install anti-virus software
5.4. MANAGEMENT POLICIES, BUSINESS
PROCEDURES, AND PUBLIC LAWS
5.4. MANAGEMENT POLICIES, BUSINESS
PROCEDURES, AND PUBLIC LAWS
1. Risk assessment: an assessment of the risks and points
of vulnerability

2. Security policy: a set of statements prioritizing the

information risks, identifying acceptable risk targets, and
identifying the mechanisms for achieving these targets

3. Implementation plan: the action steps you will take to

achieve the security plan goals
5.4. MANAGEMENT POLICIES, BUSINESS
PROCEDURES, AND PUBLIC LAWS
4. Security organization: educates and trains users, keeps
management aware of security threats and breakdowns,
and maintains the tools chosen to implement security

5. Security audit: involves the routine review of access logs

(identifying how outsiders are using the site as well as
how insiders are accessing the site’s assets)
5.5. E-COMMERCE PAYMENT SYSTEMS
5.5. E-COMMERCE PAYMENT SYSTEMS

ONLINE CREDIT CARD TRANSACTIONS

5.5. E-COMMERCE PAYMENT SYSTEMS

ALTERNATIVE ONLINE PAYMENT SYSTEMS

 Online stored value payment system permits consumers to make instant,

online payments to merchants and other individuals based on value
stored in an online account

 Example: Paypal
5.5. E-COMMERCE PAYMENT SYSTEMS

MOBILE PAYMENT SYSTEMS: YOUR SMARTPHONE WALLET

 There are three primary types of mobile wallet apps: universal proximity
wallets, branded store proximity wallets, and P2P apps.
 Near field communication (NFC) is the primary enabling technology for
universal proximity mobile wallets, while QR code technology is typically
used for branded store proximity mobile wallets

>Quick Response (QR) code technology: uses a mobile app to generate a

two-dimensional code that merchant scans and enables payment amount
to be deducted from customer’s mobile wallet
5.5. E-COMMERCE PAYMENT SYSTEMS

BLOCKCHAIN AND CRYPTOCURRENCIES

 Blockchain system: transaction processing system that operates on a

distributed and shared database (a peer-to-peer (P2P) network) rather
than a single organization’s database

 Cryptocurrency: purely digital asset that works as a medium of exchange

using cryptography

 Bitcoin: most prominent example of cryptocurrency in use today

5.6. ELECTRONIC BILLING PRESENTMENT
AND PAYMENT
 Electronic billing presentment and payment (EBPP)
system: form of online payment system for monthly bills

 EBPP BUSINESS MODELS

 There are four EBPP business models: online banking,

biller-direct, mobile, and consolidator
5.7. CAREERS IN E-COMMERCE

 With cybercrime in the headlines nearly every day,

positions in the cybersecurity field are growing rapidly.
 Cybersecurity is an interdisciplinary field that requires
knowledge in technology, human behavior, finance, risk,
law, and regulation, so students with a broad range of
backgrounds may be successful in obtaining entry-level
cybersecurity positions.
 There is particular demand in industries such as financial
services, healthcare, retail, and education, as well as
government, all of which have recently suffered high-
profile attacks
5.7. CAREERS IN E-COMMERCE

THE COMPANY

 The company is one of the top high street banks and a

major global financial services provider, with over 27
million customers worldwide.
 Along with other financial services firms of all sizes, the
firm is a significant target for hackers and digital criminals.
 It has suffered through a number of security breaches in
its online banking operations, including customer data
breaches, credit and bank card fraud, denial of service
attacks, and phishing threats to its internal systems.
5.7. CAREERS IN E-COMMERCE

THE POSITION: CYBERSECURITY THREAT MANAGEMENT

TEAM TRAINEE
 Your responsibilities include:
• Responding to requests for information from business
partners (internal & external).
• Providing governance, guidance, and setting priorities for
risk-based threat management, mitigation, and
remediation.
• Providing information to stakeholders for their meetings to
illustrate and communicate the state of information security
risks.
5.7. CAREERS IN E-COMMERCE
THE POSITION: CYBERSECURITY THREAT MANAGEMENT
TEAM TRAINEE
 Your responsibilities include:
• Advising Division Managers on developing security threats
and conducting a risk analysis.
• Reviewing, developing, testing, and implementing security
plans, products, and control techniques.
• Coordinating the reporting of data security incidents.
• Monitoring existing and proposed security standard setting
groups, including state and federal legislation and
regulations.
• Researching attempted efforts to compromise security
protocols
5.7. CAREERS IN E-COMMERCE
QUALIFICATIONS/SKILLS
• Bachelor’s degree in business administration, management
information systems, or computer science with coursework
in IT security and/or e-commerce security
• Knowledge of security research tools, products, and
standards
• Ability to learn vendor and in-house security solutions
• Ability to develop and write scripts for automating security
routines
• Ability to achieve SANS Institute security certifications or
CISSP (Certified Information Systems Security Professional)
5.7. CAREERS IN E-COMMERCE
QUALIFICATIONS/SKILLS
•Ability to develop applications/solutions for enhancing and
automating daily routines
• Strong analytical, problem solving, and conceptual thinking
skills
• Strong writing and presentation skills
• Ability to work with technical and non-technical business
managers
Thank you