E-commerce securities

1.     What is e-commerce security and why is it important?

2.     How to identify threats to e-commerce?

3.     How to determine ways to protect e-commerce from those threats?

4.     What are electronic payment systems?

5.     What are the security requirements for electronic payment systems?

6.     What security measures are used to meet these requirements?

 

WHAT IS E-COMMERCE SECURITY

E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction.

1.  e-commerce assets

      Intellectual property

      Client computers à push for point-and-click commerce

      Messages traveling on the communication channel à ubiquitous connectivity

      Web server & its hardware à complex systems and networks

** basic flaws in Internet infrastructure

 

2.  The importance of securing e-commerce

      Secrecy: protection against unauthorized data disclosure and authentication of data source

      Integrity: prevention against unauthorized data modification

      Necessity: prevention against data delays or removal

      Non-repudiation: prevention against any one party from reneging on an agreement after the fact

à    protect corporation's image and reputation

à    minimize the impact of security failures

à    minimize downtime

à    fulfill legal and regulatory requirements for data integrity/confidentiality and consumer privacy

 

e-commerce threats

Threats: anyone with the capability, technology, opportunity, and intent to do harm.Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element.Terrorists, insiders, disgruntled employees, and hackers are included in this profile (President's Commission on Critical Infrastructure Protection)


 

1.   Intellectual property threats -- use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cybersquatting), software pirating

2.  Client computer threats

      Malicious codes

      Active contents

3.  Communication channel threats

      Sniffer program

      Backdoor

      Spoofing

      Denial-of-service

4.  Server threats

      Privilege setting

      Server Side Include (SSI), Common Gateway Interface (CGI)

      File transfer

      Spamming

 

How to identify threats?

Vulnerability assessments or penetration tests

Risk = Threat x Vulnerability x Cost

 

Threat: frequency of potentially adverse events

Threat

2002*

2001**

2000**

Viruses, Trojans, worms, hostile ActiveX and Java

31%

21%

26%

Loss of Privacy/confidentiality, data misuse/abuse

23%

28%

25%

System unavailability, denial of service, natural disasters, power outage

15%

18%

20%

Cracking, eavesdropping, spoofing

11%

25%

20%

*   2002 Information Security Survey

** 2001 Information Security Industry Survey

 

Vulnerability: likelihood of success of a particular attack, e.g., Merchant Risk Council’s fraud test

 

Cost: real damages to hardware or software + IT staff time and resources spent repairing the damages + lost productivity, public relations damage control, lost public confidence, lost business opportunities, e.g., Figure 15 of 2004 CSI/FBI Computer Crime & Security Survey

 

Countermeasure

A procedure that recognizes, reduces, or eliminates a threat

 

Two types of countermeasures: Physical vs logical security

1.  Intellectual property protection

      Legislature

      Blocking

      Authentication

2.  Client computer protection

      Privacy -- Cookie blockersAnonymizer, e-mail shredding

      Digital certificate

      Browser protection

      Antivirus software

      Computer forensics expert

3.  Communication channel protection

      Encryption

      3 types of encryption program: hash coding, public-key encryption (asymmetric), private-key encryption (symmetric)

o      Private-key encryption: both the sender and the receiver of the message have access to the same key

o      Public-key encryption: Each individual has his or her own public-private key pair, which is derived mathematically from a one-way function with an intentional trap door. A one-way function is a mathematical problem which is easy to perform in one direction but extremely difficult and time-consuming to perform in the reverse direction. Key pairs are generated using such a function, but they have a trap door. The trap door makes the reverse computation relatively easy if a precise piece of information is known. This additional piece of information is the key pair owner's secret password. e.g., RSA algorithm

RSA algorithm

1.     Find two very large prime numbers, P and Q.

2.     Find a number E that has the following properties:

a.      It is an odd number,

b.     It is less than P x Q,

c.      It is relatively prime to (P-1) x (Q-1)

Meaning that E and the result of this equation have no common prime factors.

3.     Compute a value D that has the following property:

((D x E) - 1) can be evenly divided by (P-1) x (Q-1).

The public key-pair is the pair (P x Q, E),

The private key is the number D,

The public key is E.

The encryption function uses the public key E and the modulus P x Q:

      Encrypted message = (TE) modulus P x Q.

The decryption function uses the private key D and the modulus P x Q:

      Decrypted message = (CD) modulus P x Q.

*       Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES)

*       Protocol: Secure Sockets Layer (SSL), Secure HyperText Transfer Protocol (S-HTTP)

 

       Digital signature (Turban et al. 2004, Exhibit 12.5)

  Bind the message originator with the exact contents of the message

    A hash function is used to transform messages into a 128-bit digest (message digest).

    The sender’s private key is used to encrypt the message digest (digital signature)

    The message + signature are sent to the receiver

    The recipient uses the hash function to recalculate the message digest

    The sender’s public key is used to decrypt the message digest

    Check to see if the recalculated message digest = decrypted message digest

 

4.  Server protection

      Access control and authentication

*       Digital signature from user

*       Username and password

*       Access control list

*       Intrusion detection systems: e.g., Cisco System’s NetRanger

 

      Firewalls

International Computer Security Association's classification:

·       Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing)

·       Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to verify its authenticity.

·       Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject the requested communication.

 

SUMMARY

Assets

Threats

Countermeasures

Intellectual property

  pirating

  Legislature

  Blocking

  Authentication

Client computer

  Malicious code

  Active contents

 

  Blocking

  Digital certificate verification

  Browser protection

  Antivirus software

  Computer forensics

Communication channel

  Sniffer program

  Backdoor

  Spoofing

  Denial-of-service

  Encryption

  Digital signature

Server

  Privilege abuse

  CGI

  File transfer

  Spamming

  Access control

  Firewalls

 

ELECTRONIC PAYMENT SYSTEMS

A medium of payment between remote buyers and sellers in cyberspace: electronic cash, software wallets, smart cards, credit/debit cards.

Offline payment methods: cash (55%), check (29%), credit card (16%)
 

Payment systems

Properties

Advantages

Disadvantages

Electronic cash

e.g., PayPal

    31% of US population do not have credit cards

    micropayments (< $10)

    Independent

    Portable

    Divisible

    Efficient

    Less costly

    Money laundering

    Forgery

    Low acceptance

    Multiple standards

Electronic wallets

e.g., Passport

    Stores shipping & billing information

    Encrypted digital certificate

    Enter information into checkout forms automatically

    Client-side wallets are not portable

    Privacy issue for server-side wallets

Smart cards

e.g., Blue

    Embedded microchip storing encrypted personal information

    Convenience

    Need a card reader

    Card theft

    Low acceptance

Credit cards

    Line of credit

    Purchase dispute protection

    Secure Electronic Transaction (SET) Protocol

    Most popular

    Worldwide acceptance

    Charge back

    $50 limit on frauds

    Processing fee

 

SECURITY REQUIREMENTS

1.     Authentication of merchant and consumer

2.     Confidentiality of data

3.     Integrity of data

4.     Non-repudiation

 

SECURITY MEASURES

1.  Secure Electronic Transaction (SET) protocol: developed jointly by MasterCard and Visa with the goal of providing a secure payment environment for the transmission of credit card data.

 

Features

SSL

SET

Encryption of data during transmission

Yes

Yes

Confirmation of message integrity

Yes

Yes

Authentication of merchant

Yes

Yes

Authentication of consumer

No

Yes

Transmission of specific data only on a "need know" basis

No

Yes

Inclusion of bank or trusted third party in transaction

No

Yes

No need for merchant to secure credit card data internally

No

Yes

 

SET payment transaction:

*       A shopper makes a purchase and transmits encrypted billing information with his/her digital certificate to the merchant.

*       The merchant transfers the SET-coded transaction to a payment card-processing center.

*       The processing center decrypts the transaction.

*       A certification authority certifies the digital certificate as belonging to the shopper.

*       The processing center routes the transaction to the shopper's bank for approval.

*       The merchant receives notification from the shopper's bank that the transaction is approved.

*       The shopper's payment card account is charged for the transaction amount.

*       The merchant ships the merchandize and transmits the transaction amount to the merchant's bank for deposit.

 

2.  Disposable credit numbers: one-time-use credit card numbers are transmitted to the merchant

 

3.  Other developments

        Wireless payment, e.g, Qpass

        Stored-value/prepaid cards, e.g, UK Plus account

        E-loyalty and rewards programs, e.g., MyPoints

        Contactless cards, e.g., ExpressPay

        3-factor authentication

       Something you know

       Something you have

       Something you are (biometrics)

e.g., Fingerprint-recognition system for PCs

 Fingerprint scan foils fake & cutoff fingers

 

How to judge whether or not a business is trustworthy? (E-commerce trust)

      Social: reputation

      Legal: compensation

      Technological: money, secure credit card

*       Online security may has been improved but not faith in e-commerce

*       The development of trust is complex and costly but once established, the system is cheap to maintain.

*       To build a secure environment for e-commerce, it may be more important to build a system based on interpersonal relationships rather than technology à social control rather than external control.