Lecture E-Commerce - Chapter 10: E-commerce technology solution, management policies and payment systems

In this chapter, the learning objectives are: Describe how various forms of encryption technology help protect the security of messages sent over the internet, identify the tools used to establish secure internet communications channels, identify the tools used to protect networks, servers, and clients, appreciate the importance of policies, procedures, and laws in creating security.

CSC 330 E-Commerce

Teacher

Ahmed Mumtaz Mustehsan

GM-IT CIIT Islamabad

Virtual Campus, CIIT

COMSATS Institute of Information Technology

T1-Lecture-10

E Commerce Technology Solution,

Management policies and Payment

Systems

Chapter-04

Part-II

Tools Available to Achieve Site Security

Transforms data into cipher text readable only by

sender and receiver

Secures stored information and information

Dimensions of E-commerce Security

Symmetric Key Encryption

Sender and receiver use same digital key to

encrypt and decrypt message

Requires different set of keys for each

transaction

Strength of encryption

◦Length of binary key used to encrypt data

Advanced Encryption Standard (AES)

◦Most widely used symmetric key encryption

◦Uses 128-, 192-, and 256-bit encryption keys

Other standards use keys with up to 2,048

bits

Public Key Encryption

 Uses two mathematically related digital keys

1 Public key (widely disseminated)

2 Private key (kept secret by owner)

 Both keys used to encrypt and decrypt

message

 Once key used to encrypt message, same

key cannot be used to decrypt message

 Sender uses recipient’s public key to encrypt

message;

Public Key Cryptography—A Simple Case

Public Key Encryption Using Digital Signatures and Hash Digests

Hash function:

◦Mathematical algorithm that produces fixed-length number called message or hash digest

Hash digest of message sent to recipient along with

message to verify integrity

Hash digest and message encrypted with recipient’s public key

Entire cipher text then encrypted with sender’s private key—creating digital signature—for authenticity,

nonrepudiation

Public Key Cryptography with Digital Signatures

1-Digital Envelopes

Addresses weaknesses of:

◦Public key encryption

 Computationally slow, decreased transmission

speed, increased processing time

◦Symmetric key encryption

 Insecure transmission lines

Uses symmetric key encryption to encrypt document

Uses public key encryption to encrypt and send

symmetric key

Creating a Digital Envelope

1-Digital Certificates and

Public Key Infrastructure (PKI)

Digital certificate includes:

Name of subject/company

Subject’s public key

Digital certificate serial number

Expiration date, issuance date

Digital signature of certification authority (trusted third party institution) that issues certificate

Public Key Infrastructure (PKI):

CAs and digital certificate procedures that are accepted

by all parties

Digital Certificates and Certification Authorities

1-Limits to Encryption Solutions

Doesn’t protect storage of private key

◦PKI not effective against insiders, employees

◦Protection of private keys by individuals may be

haphazard (may be stolen from Laptop/Desktop)

No guarantee that verifying computer of merchant is secure

CAs are unregulated, self-selecting organizations

Securing Channels of Communication

Secure Sockets Layer (SSL):

Establishes a secure, negotiated client-server session

in which URL of requested document, along with

contents, are encrypted

S-HTTP:

Provides a secure message-oriented communications protocol designed for use in conjunction with HTTP

Virtual Private Network (VPN):

Allows remote users to securely access internal

network via the Internet, using Point-to-Point Tunneling Protocol (PPTP)

1-Secure Negotiated Sessions Using SSL

Protecting Networks

Firewall

Hardware or software that filters packets

Prevents some packets from entering the network

based on security policy

Two main methods:

1 Packet filters

2 Application gateways

Proxy servers (proxies)

Software servers that handle all communications

originating from or being sent to the Internet

1-Firewalls and Proxy Servers

Protecting Servers and Clients

Operating system security enhancements

1-Management Policies, Business

Procedures, and Public Laws

Managing risk includes

◦Technology

◦Effective management policies

◦Public laws and active enforcement

U.S firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in

2009)

A Security Plan: Management Policies

Perform a risk assessment

Develop a security policy

Develop and Implementation plan

Create Security organization

◦Access controls

◦Authentication procedures, including biometrics

◦Authorization policies, authorization management systems

Security audit

1-Developing an E-commerce Security Plan

The Role of Laws and Public Policy

cybercriminals:

proposal to make provision for the prevention of electronic crimes in the country.

1-Types of Traditional Payment Systems

Payment through Check transfer

Second most common payment form in the United

States in terms of number of transactions

Credit card

Credit card associations (VISA & Master Cards)

Issuing banks

Processing centers

Types of Traditional Payment Systems

Stored Value

Funds deposited into account, from which funds are paid out or withdrawn as needed, e.g., debit cards, gift certificates, etc

Peer-to-peer payment systems e.g prepaid cards

1-E-commerce Payment Systems

Credit cards

55% of online payments in 2009

Debit cards

28% of online payments in 2009

Limitations of online credit card payment

Security : no security for both client and merchant

Cost:

◦almost no cost to customer if paid in time;

◦Merchant needs to pay 3.5% to bank if used

intermediaries like PAYPAL the additional charges

1 to 1.5%

1-How an Online Credit Transaction Works

E-commerce Payment Systems

Digital wallets

Emulates functionality of wallet by authenticating

consumer, storing and transferring value, and securing payment process from consumer to merchant

Early efforts to popularize failed

Newest effort: Google Checkout

Digital cash

Value storage and exchange using tokens

Most early examples have disappeared; protocols and practices too complex

1-E-commerce Payment Systems

Online stored value systems

Based on value stored in a consumer’s bank, checking,

or credit card account

PayPal, smart cards

Digital accumulated balance payment

Users accumulate a debit balance for which they are

billed at the end of the month

Digital checking:

Extends functionality of existing checking accounts for use online

Wireless Payment Systems

Use of mobile handsets as payment devices

well-established in Europe, Japan, South Korea

Japanese mobile payment systems

◦E-money (stored value)

◦Mobile debit cards

◦Mobile credit cards

Not as well established yet in the United States

◦Majority of purchases are digital content for use on cell phone

1-Is your smart phone secure?

All mobile users carry the privacy with them

Many free applications are built to grab information

from smart phones

Theses applications work for hacking the pictures,

passwords and bank account details etc

Smartphones are susceptible to browser-based

malware

The Players: Hackers, Crackers, and Attackers

Original hackers created the Unix operating system

and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and

integrity of computer systems

Over the time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks

1-The Players: Hackers, Crackers & Attackers …

Uber Haxor

◦Wizard Internet Hackers

◦Highly capable attackers

◦Responsible for writing most of the attacker tools

Crackers

People who engage in unlawful or damaging

hacking short for “criminal hacking” cracking

software keys and securities for piracy

Other attackers

◦“Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on

targeted sites

Script Kiddies

1 [very common] The lowest form of cracker; script

kiddies do mischief with scripts and rootkits written

by others, often using tools without understanding

2 People with limited technical expertise using

easy-to-operate, pre-configured, and/or automated tools

to conduct disruptive activities against networked systems Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal

3 People who cannot program themselves, but who

create tacky HTML pages by copying JavaScript routines from other tacky HTML pages More

generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring

to have a mental model of what the code does;

Reference:

http://www.catb.org/jargon/html/S/script-kiddies.html

http://www.tamingthebeast.net/articles/scriptkiddies.htm

1-End of: T1-Lecture-10

E Commerce Technology Solution,

Management policies and Payment

Systems

Chapter-04

Part-II Thank You