Chapter 9

E commerce security and Payment

system
The E-commerce Security Environment
 The Tension Between Security and
Other Values
 Ease of use
 The more security measures added, the more
difficult a site is to use, and the slower it
becomes
 Public safety and criminal uses of the
Internet
 Use of technology by criminals to plan crimes or
threaten nation-state
 Security Threats in the
E-commerce Environment
 Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
 A Typical E-commerce Transaction

Figure 4.2, Page 246

 Vulnerable Points in an E-commerce
Transaction

Figure 4.3, Page 247

Most Common Security Threats in the

 E-commerce
Malicious Environment
code (malware) – threat at both client
and server level
 Exploits and exploit kits
 Drive-by downloads
 Viruses
 Worms
 Ransomware
 Trojan horses
 Backdoors
 Bots, botnets
 Most Common Security Threats (cont.)
 Potentially unwanted programs (PUPs)
 Browser parasites
 Adware
 Spyware

 Phishing
 Social engineering
 E-mail scams
 Spear phishing
 Identity fraud/theft
 Most Common Security Threats (cont.)
 Hacking
 Hackers vs. crackers
 Types of hackers: White, black, grey hats
 Hacktivism

 Cybervandalism:
 Disrupting, defacing, destroying Web site
 Most Common Security Threats (cont.)
 Credit card fraud/theft
 Spam (junk) Web sites
 Link farms

 Denial of service (DoS) attack

 Site flooded with useless traffic to overwhelm network
 Distributed denial of service (DDoS) attack
 Most Common Security Threats (cont.)
 Sniffing
 Eavesdropping program that monitors information
traveling over a network
 Insider attacks
 Poorly designed software
 Social network security issues
 Mobile platform security issues
 Vishing, smishing, madware

 Cloud security issues

 Technology Solutions
 Protecting Internet communications
 Cryptography

 Securing channels of communication

 SSL, TLS, VPNs, Wi-Fi

 Protecting networks
 Firewalls, proxy servers, IDS, IPS

 Protecting servers and clients

 OS security, anti-virus
 Tools Available to Achieve Site Security

Figure 4.5, Page 267

 Encryption
 Encryption
 Transforms data into cipher text readable only by
sender and receiver
 Secures stored information and information
transmission
 Provides 4 of 6 key dimensions of e-commerce security:
 Message integrity
 Nonrepudiation
 Authentication
 Confidentiality

Copyright © 2016 Pearson Education, Ltd.

 Symmetric Key Cryptography
 Sender and receiver use same digital key to encrypt
and decrypt message
 Requires different set of keys for each transaction
 Strength of encryption
 Length of binary key used to encrypt data
 Data Encryption Standard (DES)
 Advanced Encryption Standard (AES)
 Most widely used symmetric key algorithm
 Uses 128-, 192-, and 256-bit encryption keys
 Other standards use keys with up to 2,048 bits

Copyright © 2016 Pearson Education, Ltd.

 Public Key Cryptography
 Uses two mathematically related digital keys
 Public key (widely disseminated)
 Private key (kept secret by owner)

 Both keys used to encrypt and decrypt message

 Once key used to encrypt message, same key
cannot be used to decrypt message
 Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it
 Public Key Cryptography: A Simple Case

Figure 4.6, Page 271

 Public Key Cryptography using Digital
Signatures and Hash Digests
 Hash function:
 Mathematical algorithm that produces fixed-length number called
message or hash digest
 Hash digest of message sent to recipient along with
message to verify integrity
 Hash digest and message encrypted with recipient’s
public key
 Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation

Copyright © 2016 Pearson Education, Ltd.

Slide 1-19
 Public Key Cryptography with Digital
Signatures

Figure 4.7, Page 272

 Digital Envelopes
 Address weaknesses of:
 Public key cryptography
 Computationally slow, decreased transmission speed,
increased processing time
 Symmetric key cryptography
 Insecure transmission lines
 Uses symmetric key cryptography to encrypt
document
 Uses public key cryptography to encrypt and
send symmetric key
 Creating a Digital Envelope

Figure 4.8, Page 273

 Digital Certificates and
Public Key Infrastructure (PKI)
 Digital certificate includes:
 Name of subject/company
 Subject’s public key
 Digital certificate serial number
 Expiration date, issuance date
 Digital signature of CA

 Public Key Infrastructure (PKI):

 CAs and digital certificate procedures
 PGP
 Digital Certificates and Certification
Authorities

Figure 4.9, Page 274

 Limits to Encryption Solutions
 Doesn’t protect storage of private key
 PKI not effective against insiders, employees
 Protection of private keys by individuals may be
haphazard
 No guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting
organizations
Securing Channels of Communication
 Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
 Establishes secure, negotiated client–server
session
 Virtual Private Network (VPN)
 Allows remote users to securely access internal
network via the Internet
 Wireless (Wi-Fi) networks
 WPA2
Secure Negotiated Sessions Using SSL/TLS

Figure 4.10, Page 277

 Protecting Networks
 Firewall
 Hardware or software that uses security policy to filter
packets
 Packet filters
 Application gateways
 Next-generation firewalls

 Proxy servers (proxies)

 Software servers that handle all communications from or
sent to the Internet
 Intrusion detection systems
 Intrusion prevention systems
 Firewalls and Proxy Servers

Figure 4.11, Page 280

 Protecting Servers and Clients
 Operating system security
enhancements
 Upgrades, patches

 Anti-virus software
 Easiest and least expensive way to prevent
threats to system integrity
 Requires daily updates
 Management Policies, Business
Procedures, and Public Laws
 Worldwide, companies spend more
than $71 billion on security hardware,
software, services
 Managing risk includes:
 Technology
 Effective management policies
 Public laws and active enforcement
A Security Plan: Management Policies
 Risk assessment
 Security policy
 Implementation plan
 Security organization
 Access controls
 Authentication procedures, including biometrics
 Authorization policies, authorization management
systems
 Security audit
 Developing an E-commerce Security Plan

Figure 4.12, Page 283

 E-commerce Payment Systems
 Credit cards
 46% of online payments in 2014 (United States)

 Debit cards
 32% online payments in 2014 (United States)

 QR code
 E - wallet
 Limitations of online credit card payment
 Security, merchant risk
 Cost
 Social equity
 How an Online Credit Transaction Works

Figure 4.15, Page 290

Alternative Online Payment Systems
 Online stored value systems:
 Based on value stored in a consumer’s bank,
checking, or credit card account
 Example: PayPal

 Other alternatives:
 Amazon Payments
 Google Wallet
 Bill Me Later
 WUPay, Dwolla, Stripe
 Mobile Payment Systems
 Use of mobile phones as payment devices
established in Europe and Asia
 Near field communication (NFC)
 Short-range (2”) wireless for sharing data between
devices
 Expanding in United States
 Apple Pay
 PayPal
 Square
 Google Wallet
 Digital Cash and Virtual Currencies
 Digital cash
 Based on algorithm that generates unique
tokens that can be used in “real” world
 Example: Bitcoin

 Virtual currencies
 Circulate within internal virtual world
 Example: Linden Dollars in Second Life,
Facebook Credits
 Electronic Billing Presentment and
Payment (EBPP)
 Online payment systems for monthly bills
 Over 50% of all bill payments
 Two competing EBPP business models:
 Biller-direct (dominant model)
 Consolidator

 Both models are supported by EBPP

infrastructure providers

Copyright © 2016 Pearson Education, Ltd.

Slide 1-39
Copyright © 2016 Pearson Education, Ltd.
Slide 1-40