Chapter 5

E-commerce Security and Payment System

Course name: E-commerce

Chapter 5

E-commerce Security
and Payment Systems
Instructor: Nguyen The Dai Nghia
Email: [email protected]
Phone/Zalo: 0936385487
 Chapter 5
E-commerce Security and Payment System

Learning Objectives
5.1 Understand the scope of e-commerce crime and security problems, the key dimensions
of e-commerce security, and the tension between security and other values.
5.2 Identify the key security threats in the e-commerce environment.
5.3 Describe how technology helps secure Internet communications channels and protect
networks, servers, and clients.
5.4 Appreciate the importance of policies, procedures, and laws in creating security.
5.5 Identify the major e-commerce payment systems in use today.
5.6 Describe the features and functionality of electronic billing presentment and payment
systems.

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

The Rise of the Global Cyberattack

• Class Discussion
• Have you or anyone you know been the subject of a cybercrime? If so,
what happened?
• Do you think an agreement among countries akin to the Geneva
Convention will be an effective deterrent for cybercrime? Why or why
not?
• What steps have you taken to protect yourself online?

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

The E-commerce Security Environment

• Scope of the problem
• Overall size of and losses due to cybercrime unclear
• McAfee/Center for Strategic and International Studies study: Global
economic impact of cybercrime and cyberespionage between $455
billion to $600 billion
• Reports by security product providers indicate increasing cybercrime
• Online credit card fraud one of the most high-profile forms
• Underground economy marketplaces sell stolen information, malware and
more

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

What is Good E-commerce Security?

• To achieve highest degree of security
• New technologies
• Organizational policies and procedures
• Industry standards and government laws
• Other factors
• Time value of money
• Cost of security v s potential loss
ersu

• Security often breaks at weakest link

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.1 The E-commerce Security Environment

Copyright © 2020 Pearson Education Ltd. All Rights Reserved


Table 5.3 Customer and Merchant Perspectives on the Different Dimensions of
E-commerce Security
Dimension Customer’s Perspective
Integrity Has information I transmitted or
received been altered?
Nonrepudiation Can a party to an action with me
later deny taking the action?
Authenticity Who am I dealing with? How can I be
assured that the person or entity is
who they claim to be?
Confidentiality Can someone other than the
intended recipient read my
messages?
Privacy Can I control the use of information
about myself transmitted to an
e-commerce merchant?
Availability Can I get access to the site?
Chapter 5
E-commerce Security and Payment System
Merchant’s Perspective
Has data on the site been altered without
authorization? Is data being received from
customers valid?
Can a customer deny ordering products?
What is the real identity of the customer?
Are messages or confidential data accessible
to anyone other than those authorized to
view them?
What use, if any, can be made of personal
data collected as part of an e-commerce
transaction? Is the personal information of
customers being used in an unauthorized
manner?
Is the site operational?
Copyright © 2020 Pearson Education Ltd. All Rights Reserved
 Chapter 5
E-commerce Security and Payment System

The Tension between Security and Other Values

• Ease of use
• The more security measures added, the more difficult
a site is to use, and the slower it becomes
• Public safety and criminal uses of the Internet
• Use of technology by criminals to plan crimes or
threaten nation-state

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Security Threats in the E-commerce Environment

• Three key points of vulnerability in e-commerce environment:
• Client
• Server
• Communications pipeline (Internet communications channels)

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.2 A Typical E-commerce Transaction

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.3 Vulnerable Points in an E-

commerce Transaction

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Malicious Code
• Exploits and exploit kits
• Maladvertising
• Drive-by downloads
• Viruses
• Worms
• Ransomware
• Trojan horses
• Backdoors
• Bots, botnets

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Potentially Unwanted Programs

• Browser parasites
• Monitor and change user’s browser
• Adware
• Used to call pop-up ads
• Spyware
• Tracks users keystrokes, e-mails, IMs, etc.

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Phishing
• Any deceptive, online attempt by a third party to obtain confidential
information for financial gain
• Tactics
• Social engineering
• E-mail scams and Business Email Compromise (BEC) phishing
• Spear phishing
• Used for identity fraud and theft

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Example of “Nigerian letter” scam

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Hacking, Cybervandalism, and Hacktivism

• Hacking
• Hackers v s crackers
ersu

• White hats, black hats, grey hats

• Tiger teams
• Goals: cybervandalism, data breaches
• Cybervandalism:
• Disrupting, defacing, destroying Web site
• Hacktivism

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Data Breaches
• Organization loses control over corporate information to outsiders
• Over 1,575 breaches in 2017, 45% increase over 2016
• Yahoo and Equifax two of the most notorious; Facebook breach in 2018
exposed personal information of 30 million
• Leading causes
• Hacking
• Unauthorized access
• Employee error/negligence

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Credit Card Fraud/Theft

• Stolen credit card incidences about 0.9% on the Web and about 0.8% of
mobile transactions
• Hacking and looting of corporate servers is primary cause
• Central security issue: establishing customer identity
• E-signatures
• Multi-factor authentication
• Fingerprint identification

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Identity Fraud/Theft
• Unauthorized use of another person’s personal data for illegal financial
benefit
• Social security number
• Driver’s license
• Credit card numbers
• Usernames/passwords
• 2017: Almost 17 million U.S. consumers suffered identity fraud

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Spoofing, Pharming, and Spam (Junk) Websites

• Spoofing
• Attempting to hide true identity by using someone
else’s e-mail or IP address
• Pharming
• Automatically redirecting a URL to a different
address, to benefit the hacker
• Spam (junk) websites
• Offer collection of advertisements for other sites,
which may contain malicious code

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Sniffing and Man-In-The-Middle Attacks

• Sniffer
• Eavesdropping program monitoring networks
• Can identify network trouble spots
• Can be used by criminals to steal proprietary
information
• E-mail wiretaps
• Recording e-mails at the mail server level
• Man-in-the-middle attack
• Attacker intercepts and changes communication
between two parties who believe they are
communicating directly

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

Attacks
• Denial of service (DoS) attack
• Flooding website with pings and page request
• Overwhelm and can shut down site’s web servers
• Often accompanied by blackmail attempts
• Botnets
• Distributed Denial of Service (DDoS) attack
• Uses hundreds or thousands of computers to attack target network
• Can use devices from Internet of Things, mobile devices
• DDoS smokescreening

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Insider Attacks
• Largest threat to business institutions come from insider embezzlement
• Employee access to privileged information
• Poor security procedures
• Insiders more likely to be source of cyberattacks than outsiders

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Poorly Designed Software

• Increase in complexity of and demand for software has led to increase in
flaws and vulnerabilities
• SQL injection attacks
• Zero-day vulnerability
• Heartbleed bug; Shellshock (BashBug); FREAK

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Social Network Security Issues

• Social networks an environment for:
• Viruses, site takeovers, identity fraud, malware-loaded apps, click
hijacking, phishing, spam
• Manual sharing scams
• Sharing of files that link to malicious sites
• Fake offerings, fake Like buttons, and fake apps

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Mobile Platform Security Issues

• Little public awareness of mobile device vulnerabilities
• 2017: Over 26,500 different mobile malware variants identified by Symantec
• Vishing
• Smishing
• SMS spoofing
• Madware

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Insight on Technology: Think Your Smartphone is Secure?

• Class Discussion
• What types of threats do smartphones face?
• Are there any vulnerabilities specific to mobile
devices?
• What qualities of apps make them a vulnerable
security point in smartphone use?
• Are apps more or less likely to be subject to threats
than traditional PC software programs?

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Cloud Security Issues

• DDoS attacks
• Infrastructure scanning (find vulnerability)
• Lower-tech phishing attacks yield passwords and access
• Use of cloud storage to connect linked accounts
• Lack of encryption and strong security procedures

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Internet of Things Security Issues

• Challenging environment to protect
• Vast quantity of interconnected links
• Near identical devices with long service lives
• Many devices have no upgrade features
• Little visibility into workings, data, or security

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Technology Solutions
• Protecting Internet communications
• Encryption
• Securing channels of communication
• SSL, TLS, VPNs, Wi-Fi
• Protecting networks
• Firewalls, proxy servers, IDS, IPS
• Protecting servers and clients
• OS security, anti-virus software

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.5 Tools Available to Achieve E-

commerce Security

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Encryption
• Encryption
• Transforms data into cipher text readable only by
sender and receiver
• Secures stored information and information
transmission
• Provides 4 of 6 key dimensions of e-commerce
security:
• Message integrity
• Nonrepudiation
• Authentication
• Confidentiality

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Symmetric Key Cryptography

• Sender and receiver use same digital key to encrypt and decrypt message
• Requires different set of keys for each transaction
• Strength of encryption: Length of binary key
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• Other standards use keys with up to 2,048 bits

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Public Key Cryptography

• Uses two mathematically related digital keys
• Public key (widely disseminated)
• Private key (kept secret by owner)
• Both keys used to encrypt and decrypt message
• Once key used to encrypt message, same key cannot be used to decrypt
message
• Sender uses recipient’s public key to encrypt message; recipient uses
private key to decrypt it

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.6 Public Key Cryptography: A Simple Case

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Public Key Cryptography Using Digital Signatures and Hash

Digests
• Sender applies a mathematical algorithm (hash function)
to a message and then encrypts the message and hash
result with recipient’s public key
• Sender then encrypts the message and hash result with
sender’s private key-creating digital signature-for
authenticity, nonrepudiation
• Recipient first uses sender’s public key to authenticate
message and then the recipient’s private key to decrypt
the hash result and message

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.7 Public Key Cryptography with Digital Signatures

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Digital Envelopes
• Address weaknesses of:
• Public key cryptography
• Computationally slow, decreased transmission speed, increased
processing time
• Symmetric key cryptography
• Insecure transmission lines
• Uses symmetric key cryptography to encrypt document
• Uses public key cryptography to encrypt and send symmetric key

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 4.8 Public Key Cryptography: Creating a Digital

Envelope

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Digital Certificates and Public Key Infrastructure (PKI)

• Digital certificate includes:
• Name of subject/company
• Subject’s public key
• Digital certificate serial number
• Expiration date, issuance date
• Digital signature of CA
• Public Key Infrastructure (PKI):
• CAs and digital certificate procedures
• PG P

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.9 Digital Certificates and Certification Authorities

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Limitations of PKI
• Doesn’t protect storage of private key
• PKI not effective against insiders, employees
• Protection of private keys by individuals may be haphazard
• No guarantee that verifying computer of merchant is secure
• CAs are unregulated, self-selecting organizations

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Securing Channels of Communication

• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Establishes secure, negotiated client-server session
• Virtual Private Network (VPN)
• Allows remote users to securely access internal network
via the Internet
• Wireless (Wi-Fi) networks
• W PA2
• WPA3

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.10 Secure Negotiated Sessions Using SSL/TLS

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Protecting Networks
• Firewall
• Hardware or software that uses security policy to filter
packets
• Packet filters
• Application gateways
• Next-generation firewalls
• Proxy servers (proxies)
• Software servers that handle all communications from or
sent to the Internet
• Intrusion detection systems
• Intrusion prevention systems

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.11 Firewalls and Proxy Servers

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Protecting Servers and Clients

• Operating system security enhancements
• Upgrades, patches
• Anti-virus software
• Easiest and least expensive way to prevent threats to system integrity
• Requires daily updates

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Management Policies, Business Procedures, and Public

Laws
• Worldwide, companies spend more than $86 billion on security hardware,
software, services
• Managing risk includes:
• Technology
• Effective management policies
• Public laws and active enforcement

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

A Security Plan: Management Policies

• Risk assessment
• Security policy
• Implementation plan
• Security organization
• Access controls
• Authentication procedures, including biometrics
• Authorization policies, authorization management systems
• Security audit

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.12 Developing an E-commerce Security Plan

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

The Role of Laws and Public Policy

• Laws that give authorities tools for identifying, tracing, prosecuting
cybercriminals:
• USA Patriot Act
• Homeland Security Act
• Private and private-public cooperation
• US-CERT
• CERT Coordination Center
• Government policies and controls on encryption software
• OECD, G7/G8, Council of Europe, Wassener Arrangement

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

E-commerce Payment Systems

• In U.S., credit and debit cards are primary online payment methods
• Other countries have different systems
• Online credit card purchasing cycle
• Credit card e-commerce enablers
• Limitations of online credit card payment
• Security, merchant risk
• Cost
• Social equity

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Figure 5.14 How an Online Credit Card Transaction Works

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Alternative Online Payment Systems

• Online stored value systems:
• Based on value stored in a consumer’s bank,
checking, or credit card account
• Example: PayPal
• Other alternatives:
• Amazon Pay
• Visa Checkout, Mastercard’s MasterPass
• Dwolla

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Mobile Payment Systems

• Use of mobile phones as payment devices
• Established in Europe and Asia
• Expanding in United States
• Near field communication (NFC)
• Different types of mobile wallets
• Universal proximity mobile wallets, such as Apple Pay,
Google Pay, Samsung Pay, PayPal Mobile
• Branded store proximity wallets, offered by Walmart,
Target, Starbucks, others
• P2P mobile payment apps, such as Zelle, Venmo

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Blockchain
• Blockchain
• Enables organizations to create and verify transactions
nearly instantaneously using a distributed P2P database
(distributed ledger)
• Benefits:
• Reduces costs of verifying users, validating transactions,
and risks of storing and processing transaction
information
• Transactions cannot be altered retroactively and
therefore are more secure
• Foundation technology for cryptocurrencies and supply
chain management, as well as potential applications in
financial services and healthcare industries
Copyright © 2020 Pearson Education Ltd. All Rights Reserved
 Chapter 5
E-commerce Security and Payment System

Figure 5.16 How Blockchain Works

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Cryptocurrencies
• Use blockchain technology and cryptography to create a purely digital
medium of exchange
• Bitcoin the most prominent example
• Value of Bitcoins have widely fluctuated
• Major issues with theft and fraud
• Some governments have banned Bitcoin, although it is gaining
acceptance in the U.S.
• Other cryptocurrencies (altcoins) include Ethereum/Ether, Ripple, Litecoin
and Monero
• Initial coin offerings (I C Os) being used by some startups to raise capital

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Electronic Billing Presentment and Payment (EBPP)

• Online payment systems for monthly bills
• Four EBPP business models:
• Online banking model (most widely used)
• Biller-direct (monthly telephone bill)
• Mobile
• Consolidator (third party)
• All models are supported by EBPP infrastructure providers

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5
E-commerce Security and Payment System

Careers in E-commerce
• Position: Cybersecurity Threat Management Team Trainee
• Qualification/Skills
• Preparing for the Interview
• Possible Interview Questions

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

 Chapter 5

Copyright E-commerce Security and Payment System