Scribd
Upload
9 views

Chapter 4

The document discusses various methods for achieving security in e-commerce, including using new technologies, policies and procedures, and industry standards. It outlines factors to consider like cost and potential loss. Key points of vulnerability are the client, server, and communication channels. Common security threats are discussed like malware, phishing, hacking, and data breaches. Encryption methods like symmetric key, public key, digital signatures, and digital envelopes are described. Securing communication channels with SSL/TLS and VPNs is also covered.

Uploaded by

ohoudhasan08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
9 views

Chapter 4

The document discusses various methods for achieving security in e-commerce, including using new technologies, policies and procedures, and industry standards. It outlines factors to consider like cost and potential loss. Key points of vulnerability are the client, server, and communication channels. Common security threats are discussed like malware, phishing, hacking, and data breaches. Encryption methods like symmetric key, public key, digital signatures, and digital envelopes are described. Securing communication channels with SSL/TLS and VPNs is also covered.

Uploaded by

ohoudhasan08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 42

E-commerce

business. technology. society.

Kenneth C. Laudon
Carol Guercio Traver
What Is Good E-commerce
Security?
 To achieve highest degree of security
New technologies
Organizational policies and procedures
Industry standards and government laws

 Other factors
Time value of money
Cost of security vs. potential loss
Security often breaks at weakest link
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-2
The E-commerce Security
Environment

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-3
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-4
The Tension Between Security
and
 Ease of use Other Values
The more security measures added, the
more difficult a site is to use, and the slower
it becomes
 Public safety and criminal uses of the
Internet
Use of technology by criminals to plan crimes
or threaten nation-state
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-5
Security Threats in the
E-commerce Environment

 Three key points of vulnerability in e-


commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-6
A Typical E-commerce
Transaction

Figure 5.2, Page 256


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-7
Vulnerable Points in an E-commerce
Transaction

Figure 5.3, Page 257


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-8
Most Common Security Threats in
the E-commerce Environment
 Malicious code (malware, exploits)
Drive-by downloads
Viruses
Worms
Ransomware
Trojan horses
Backdoors
Bots, botnets
Threats at both client and server levels
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-9
Most Common Security Threats
(cont.)
 Potentially unwanted programs (PUPs)
Browser parasites
Adware
Spyware

 Phishing
Social engineering
E-mail scams
Spear-phishing
Identity fraud/theft

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-10
Most Common Security Threats
(cont.)
 Hacking
Hackers vs. crackers
Types of hackers: White, black, grey hats
Hacktivism

 Cybervandalism:
Disrupting, defacing, destroying Web site

 Data breach
Losing control over corporate information to outsiders

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-11
Most Common Security Threats
(cont.)
 Credit card fraud/theft
 Spoofing and pharming
 Spam (junk) Web sites (link farms)
 Identity fraud/theft
 Denial of service (DoS) attack
 Hackers flood site with useless traffic to overwhelm
network
 Distributed denial of service (DDoS) attack
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-12
Most Common Security Threats
(cont.)
 Sniffing
 Eavesdropping program that monitors information traveling
over a network
 Insider attacks
 Poorly designed server and client software
 Social network security issues
 Mobile platform security issues
 Vishing, smishing, madware
 Cloud security issues
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-13
Technology Solutions

 Protecting Internet communications


Encryption

 Securing channels of communication


SSL, VPNs

 Protecting networks
Firewalls

 Protecting servers and clients

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-14
Tools Available to Achieve Site
Security

Figure 5.5, Page 276


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-15
Encryption

 Encryption
 Transforms data into cipher text readable only by sender
and receiver
 Secures stored information and information transmission
 Provides 4 of 6 key dimensions of e-commerce security:

 Message integrity
 Nonrepudiation
 Authentication
 Confidentiality

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-16
Symmetric Key Encryption
 Sender and receiver use same digital key to encrypt and
decrypt message
 Requires different set of keys for each transaction
 Strength of encryption
 Length of binary key used to encrypt data
 Data Encryption Standard (DES)
 Advanced Encryption Standard (AES)
 Most widely used symmetric key encryption
 Uses 128-, 192-, and 256-bit encryption keys
 Other standards use keys with up to 2,048 bits

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-17
Public Key Encryption

 Uses two mathematically related digital keys


 Public key (widely disseminated)
 Private key (kept secret by owner)

 Both keys used to encrypt and decrypt message


 Once key used to encrypt message, same key
cannot be used to decrypt message
 Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-18
Public Key Cryptography: A
Simple Case

Figure 5.6, Page 279


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-19
Public Key Encryption using
Digital Signatures and Hash
 Hash function: Digests
 Mathematical algorithm that produces fixed-length number called
message or hash digest
 Hash digest of message sent to recipient along with
message to verify integrity
 Hash digest and message encrypted with recipient’s
public key
 Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-20
Public Key Cryptography with
Digital Signatures

Figure 5.7, Page 281


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-21
Digital Envelopes

 Address weaknesses of:


 Public key encryption
 Computationally slow, decreased transmission speed, increased
processing time
 Symmetric key encryption
 Insecure transmission lines
 Uses symmetric key encryption to encrypt
document
 Uses public key encryption to encrypt and send
symmetric key
Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-22
Creating a Digital Envelope

Figure 5.8, Page 282


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-23
Digital Certificates and
Public Key Infrastructure (PKI)
 Digital certificate includes:
 Name of subject/company
 Subject’s public key
 Digital certificate serial number
 Expiration date, issuance date
 Digital signature of CA

 Public Key Infrastructure (PKI):


 CAs and digital certificate procedures
 PGP

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-24
Digital Certificates and
Certification Authorities

Figure 5.9, Page 283


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-25
Limits to Encryption Solutions

 Doesn’t protect storage of private key


PKI not effective against insiders, employees
Protection of private keys by individuals may be
haphazard
 No guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting
organizations

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-26
Securing Channels of
Communication
 Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
Establishes secure, negotiated client–server session

 Virtual Private Network (VPN)


Allows remote users to securely access internal
network via the Internet
 Wireless (Wi-Fi) networks
WPA2

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-27
Protecting Networks

 Firewall
 Hardware or software
 Uses security policy to filter packets
 Two main methods:
 Packet filters
 Application gateways
 Proxy servers (proxies)
 Software servers that handle all communications from or sent to
the Internet
 Intrusion detection systems
 Intrusion prevention systems

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-28
Firewalls and Proxy Servers

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-29
Protecting Servers and Clients

 Operating system security enhancements


Upgrades, patches

 Anti-virus software
Easiest and least expensive way to prevent
threats to system integrity
Requires daily updates

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-30
Management Policies, Business
Procedures, and Public Laws
 Managing risk includes:
Technology
Effective management policies
Public laws and active enforcement

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-31
A Security Plan: Management
Policies
 Risk assessment
 Security policy
 Implementation plan
 Security organization
 Access controls
 Authentication procedures, including biometrics
 Authorization policies, authorization management systems

 Security audit

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-32
Developing an E-commerce
Security Plan

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-33
Types of Payment Systems

 Cash
 Most common form of payment
 Instantly convertible into other forms of value
 No float

 Checking transfer
 Second most common payment form in United States
 Credit card
 Credit card associations
 Issuing banks
 Processing centers

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-34
Types of Payment Systems (cont.)
 Stored value
Funds deposited into account, from which funds are
paid out or withdrawn as needed
Debit cards, gift certificates
Peer-to-peer payment systems

 Accumulating balance
Accounts that accumulate expenditures and to which
consumers make period payments
Utility, phone, American Express accounts

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-35
Payment System Stakeholders
 Consumers
 Low-risk, low-cost, refutable, convenience, reliability
 Merchants
 Low-risk, low-cost, irrefutable, secure, reliable
 Financial intermediaries
 Secure, low-risk, maximizing profit
 Government regulators
 Security, trust, protecting participants and enforcing reporting

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-36
E-commerce Payment Systems

 Credit cards
 Debit cards
 Limitations of online credit card payment
Security, merchant risk
Cost
Social equity

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-37
How an Online Credit
Transaction Works

Figure 5.15, Page 302


Copyright © 2014 Pearson Education, Inc. Publishing
as Prentice Hall Slide 5-38
Alternative Online Payment Systems
 Online stored value systems:
Based on value stored in a consumer’s bank, checking,
or credit card account
Example: PayPal

 Other alternatives:
Amazon Payments
Google Checkout
Bill Me Later
WUPay, Dwolla, Stripe

Slide 5-39
Mobile Payment Systems

 Use of mobile phones as payment devices


established in Europe, Japan, South Korea
 Near field communication (NFC)
 Short-range (2”) wireless for sharing data between devices

 Expanding in United States


 Google Wallet, Apple payment
 Mobile app designed to work with NFC chips
 PayPal
 Square

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-40
Digital Cash and Virtual
Currencies
 Digital cash
Based on algorithm that generates unique
tokens that can be used in “real” world
Example: Bitcoin

 Virtual currencies
Circulate within internal virtual world
Example: Linden Dollars in Second Life,
Facebook Credits

Copyright © 2014 Pearson Education, Inc. Publishing


as Prentice Hall Slide 5-41
C a s e S t u d y: O n l i n e Pa y m e n t
Ma r k e t p l a c e : page 311
Case Study Questions
1.What is the value proposition that Square offers consumers? How about merchants? What
are some of the weaknesses of Square’s system?
2.Why would telecommunications carriers like AT&T and Verizon want to move into the
payments business? What chance do they have to compete against Google? What’s their
advantage?
3.What advantages does PayPal have in the mobile payment market? What are its
weaknesses?
4.What strategies would you recommend that PayPal pursue in order to translate its
dominance in alternative online payments into a strong position in the emerging mobile
payment market, especially in on-premise payments?

You might also like