Chapter 9

E commerce security and Payment

system
The E-commerce Security Environment
 The Tension Between Security and
Other Values
 Ease of use
 The more security measures added, the more
difficult a site is to use, and the slower it
becomes
 Public safety and criminal uses of the
Internet
 Use of technology by criminals to plan crimes or
threaten nation-state
 Security Threats in the
E-commerce Environment
 Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
 A Typical E-commerce Transaction

Figure 4.2, Page 246

 Vulnerable Points in an E-commerce
Transaction

Figure 4.3, Page 247

Most Common Security Threats in the
E-commerce Environment
 Malicious code (malware) – threat at both
client and server level
 Exploits and exploit kits
 Drive-by downloads
 Viruses
 Worms
 Ransomware
 Trojan horses
 Backdoors
 Bots, botnets
 Most Common Security Threats (cont.)
 Potentially unwanted programs (PUPs)
 Browser parasites
 Adware
 Spyware

 Phishing
 Social engineering
 E-mail scams
 Spear phishing
 Identity fraud/theft
 Most Common Security Threats (cont.)
 Hacking
 Hackers vs. crackers
 Types of hackers: White, black, grey hats
 Hacktivism

 Cybervandalism:
 Disrupting, defacing, destroying Web site
 Most Common Security Threats (cont.)
 Credit card fraud/theft
 Spam (junk) Web sites
 Link farms

 Denial of service (DoS) attack

 Site flooded with useless traffic to overwhelm network
 Distributed denial of service (DDoS) attack
 Most Common Security Threats (cont.)
 Sniffing
 Eavesdropping program that monitors information
traveling over a network
 Insider attacks
 Poorly designed software
 Social network security issues
 Mobile platform security issues
 Vishing, smishing, madware

 Cloud security issues

 Technology Solutions
 Protecting Internet communications
 Cryptography

 Securing channels of communication

 SSL, TLS, VPNs, Wi-Fi

 Protecting networks
 Firewalls, proxy servers, IDS, IPS

 Protecting servers and clients

 OS security, anti-virus
 Tools Available to Achieve Site Security

Figure 4.5, Page 267

 Encryption
 Encryption
 Transforms data into cipher text readable only by
sender and receiver
 Secures stored information and information
transmission
 Provides 4 of 6 key dimensions of e-commerce security:
 Message integrity
 Nonrepudiation
 Authentication
 Confidentiality

Copyright © 2016 Pearson Education, Ltd.

 Symmetric Key Cryptography
 Sender and receiver use same digital key to encrypt
and decrypt message
 Requires different set of keys for each transaction
 Strength of encryption
 Length of binary key used to encrypt data
 Data Encryption Standard (DES)
 Advanced Encryption Standard (AES)
 Most widely used symmetric key algorithm
 Uses 128-, 192-, and 256-bit encryption keys
 Other standards use keys with up to 2,048 bits

Copyright © 2016 Pearson Education, Ltd.

 Public Key Cryptography
 Uses two mathematically related digital keys
 Public key (widely disseminated)
 Private key (kept secret by owner)

 Both keys used to encrypt and decrypt message

 Once key used to encrypt message, same key
cannot be used to decrypt message
 Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it
 Public Key Cryptography: A Simple Case

Figure 4.6, Page 271

 Public Key Cryptography using Digital
Signatures and Hash Digests
 Hash function:
 Mathematical algorithm that produces fixed-length number called
message or hash digest
 Hash digest of message sent to recipient along with
message to verify integrity
 Hash digest and message encrypted with
recipient’s public key
 Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation
Copyright © 2016 Pearson Education, Ltd.
Slide 1-19
 Public Key Cryptography with Digital
Signatures

Figure 4.7, Page 272

 Digital Envelopes
 Address weaknesses of:
 Public key cryptography
 Computationally slow, decreased transmission speed, increased
processing time
 Symmetric key cryptography
 Insecure transmission lines

 Uses symmetric key cryptography to encrypt

document
 Uses public key cryptography to encrypt and
send symmetric key
 Creating a Digital Envelope

Figure 4.8, Page 273

 Digital Certificates and
Public Key Infrastructure (PKI)
 Digital certificate includes:
 Name of subject/company
 Subject’s public key
 Digital certificate serial number
 Expiration date, issuance date
 Digital signature of CA

 Public Key Infrastructure (PKI):

 CAs and digital certificate procedures
 PGP
 Digital Certificates and Certification
Authorities

Figure 4.9, Page 274

 Limits to Encryption Solutions
 Doesn’t protect storage of private key
 PKI not effective against insiders, employees
 Protection of private keys by individuals may be
haphazard
 No guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting
organizations
Securing Channels of Communication
 Secure Sockets Layer (SSL)/Transport
Layer Security (TLS)
 Establishes secure, negotiated client–server
session
 Virtual Private Network (VPN)
 Allows remote users to securely access internal
network via the Internet
 Wireless (Wi-Fi) networks
 WPA2
Secure Negotiated Sessions Using SSL/TLS

Figure 4.10, Page 277

 Protecting Networks
 Firewall
 Hardware or software that uses security policy to filter
packets
 Packet filters
 Application gateways
 Next-generation firewalls
 Proxy servers (proxies)
 Software servers that handle all communications from
or sent to the Internet
 Intrusion detection systems
 Intrusion prevention systems
 Firewalls and Proxy Servers

Figure 4.11, Page 280

 Protecting Servers and Clients
 Operating system security
enhancements
 Upgrades, patches

 Anti-virus software
 Easiest and least expensive way to prevent
threats to system integrity
 Requires daily updates
 Management Policies, Business
Procedures, and Public Laws
 Worldwide, companies spend more
than $71 billion on security hardware,
software, services
 Managing risk includes:
 Technology
 Effective management policies
 Public laws and active enforcement
A Security Plan: Management Policies
 Risk assessment
 Security policy
 Implementation plan
 Security organization
 Access controls
 Authentication procedures, including biometrics
 Authorization policies, authorization management
systems
 Security audit
 Developing an E-commerce Security Plan

Figure 4.12, Page 283

VeriSign, Globalsign,Thawte, Network
Solutions, GoDaddy, Dotster, Geotrust,
Digicert, Cybertrust, Comodo, Akamai

Root CA VN

Slide 5-34