E-commerce securities

1.     What is e-commerce security and why is it important?

2.     How to identify threats to e-commerce?

3.     How to determine ways to protect e-commerce from those threats?

4.     What are electronic payment systems?

5.     What are the security requirements for electronic payment systems?

6.     What security measures are used to meet these requirements?

 

WHAT IS E-COMMERCE SECURITY

E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction. 

 

6 dimensions of e-commerce security (Table 5.1)

1.     Integrity: prevention against unauthorized data modification

2.     Nonrepudiation: prevention against any one party from reneging on an agreement after the fact

3.     Authenticity: authentication of data source

4.     Confidentiality: protection against unauthorized data disclosure

5.     Privacy: provision of data control and disclosure

6.     Availability: prevention against data delays or removal

 

e-commerce threats (Figure 5.4)

Threats: anyone with the capability, technology, opportunity, and intent to do harm.Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element.Terrorists, insiders, disgruntled employees, and hackers are included in this profile (President's Commission on Critical Infrastructure Protection) 

 

Concern

2001

2000

Loss of Privacy/confidentiality, data misuse/abuse

28%

25%

Cracking, eavesdropping, spoofing, rootkits

25%

20%

Viruses, Trojans, worms, hostile ActiveX and Java

21%

26%

System unavailability, denial of service, natural disasters, power interruptions

18%

20%

2001 Information Security Industry Survey

 

1. Intellectual property threats -- use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cybersquatting), software pirating 

2. Client computer threats

      Trojan horse

      Active contents

      Viruses 

3. Communication channel threats

      Sniffer program

      Backdoor

      Spoofing

      Denial-of-service 

4. Server threats

      Privilege setting

      Server Side Include (SSI), Common Gateway Interface (CGI)

      File transfer

      Spamming 

 

Countermeasure (Figure 5.5)

A procedure that recognizes, reduces, or eliminates a threat

1. Intellectual property protection

      Legislature

      Authentication

2. Client computer protection

      Privacy -- Cookie blockersAnonymizer

      Digital certificate (Figure 5.9)

      Browser protection

      Antivirus software

      Computer forensics expert

3. Communication channel protection

      Encryption

*       Public-key encryption (asymmetric) vs Private-key encryption (symmetric) (Figure 5-6)

*       Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES)

      Protocol

*       Secure Sockets Layer (SSL) (Figure 5.10)

*       Secure HyperText Transfer Protocol (S-HTTP)

      Digital signature (Figure 5-7)

Bind the message originator with the exact contents of the message

–A hash function is used to transform messages into a 128-bit digest (message digest).

–The sender’s private key is used to encrypt the message digest (digital signature)

–The message + signature are sent to the receiver

–The recipient uses the hash function to recalculate the message digest

–The sender’s public key is used to decrypt the message digest

–Check to see if the recalculated message digest = decrypted message digest

4. Server protection

      Access control and authentication

*       Digital signature from user

*       Username and password

*       Access control list

      Firewalls (Figure 5.11)

International Computer Security Association's classification:

       Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing)

       Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to verify its authenticity.

       Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject the requested communication. 

 

HOW TO MINIMIZE SECURITY THREATS (Figure 5.12)

1.     Perform a risk assessment a list of information assets and their value to the firm

2.     Develop a security policy a written statement on:

*       what assets to protect from whom?

*       why these assets are being protected?

*       who is responsible for what protection?

*       which behaviors are acceptable and unacceptable? 

3. Develop an implementation plan a set of action steps to achieve security goals

4. Create a security organization a unit to administer the security policy

5. Perform a security audit a routine review of access logs and evaluation of security procedures

 

ELECTRONIC PAYMENT SYSTEMS

A medium of payment between remote buyers and sellers in cyberspace: electronic cash, software wallets, smart cards, credit/debit cards.

 

Offline payment methods

Number of transactions: cash (42%), check (32%), credit card (18%) (Figure 6.1)

Dollar amount: check(52%), credit card (21%), cash (17%) (Figure 6.2)

 

Payment systems

Properties

Costs

Advantages

Disadvantages

Electronic cash

e.g., PayPal

    31% of US population do not have credit cards

    micropayments (< $10) 

    Independent 

    Portable 

    Divisible

    Internet cash transfer: no fixed cost of hardware

    No distance costs 

    Small processing fee to banks

    Efficient

    Less costly

    Money laundering

    Forgery 

    Low acceptance 

    Multiple standards

Electronic wallets

e.g., Passport

    Stores shipping & billing information

    Encrypted digital certificate

    Lengthy download for client-side wallets

    Enter information into checkout forms automatically

    Client-side wallets are not portable

    Privacy issue for server-side wallets

Smart cards

e.g., Blue

    Embedded microchip storing encrypted personal information

    Time value of money

    Convenience

    Need a card reader

    Card theft 

    Low acceptance

Credit cards

e.g., VeriSign

    Line of credit

    Purchase dispute protection 

    Secure Electronic Transaction (SET) Protocol

    Unpaid balance charge

    $50 limit on frauds 

    Processing fee

    Most popular

    Worldwide acceptance

    Costly

 

SECURITY REQUIREMENTS

1.     Authentication of merchant and consumer

2.     Confidentiality of data

3.     Integrity of data

4.     Non-repudiation 

 

SECURITY MEASURES

1. Secure Electronic Transaction (SET) protocol: developed jointly by MasterCard and Visa with the goal of providing a secure payment environment for the transmission of credit card data. 

 

Features

SSL

SET

Encryption of data during transmission

Yes

Yes

Confirmation of message integrity

Yes

Yes

Authentication of merchant

Yes

Yes

Authentication of consumer

No

Yes

Transmission of specific data only on a "need know" basis

No

Yes

Inclusion of bank or trusted third party in transaction

No

Yes

No need for merchant to secure credit card data internally

No

Yes

 

SET payment transaction:

*       A shopper makes a purchase and transmits encrypted billing information with his/her digital certificate to the merchant.

*       The merchant transfers the SET-coded transaction to a payment card-processing center.

*       The processing center decrypts the transaction.

*       A certification authority certifies the digital certificate as belonging to the shopper.

*       The processing center routes the transaction to the shopper's bank for approval.

*       The merchant receives notification from the shopper's bank that the transaction is approved.

*       The shopper's payment card account is charged for the transaction amount.

*       The merchant ships the merchandize and transmits the transaction amount to the merchant's bank for deposit. 

 

2. Disposable credit numbers: one-time-use credit card numbers (private payment number) are transmitted to the merchant

      Register with American Express or Discover

      Download software (a Private Payment icon tray will be displayed on the screen)

      Shop online

      Click on the Private Payment icon

      Log-in

      Select the credit card to be used

      View unique, one-time-use credit card number and expiration date

      Enter the one-time-used credit card number and expiration date into merchant's standard form