Chapter 5

E-commerce Security and

Payment Systems

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

 What Is Good E-commerce Security?
◼ To achieve highest degree of security
❖ New technologies
❖ Organizational policies and procedures
❖ Industry standards and government laws

◼ Other factors
❖ Time value of money
❖ Cost of security vs. potential loss
❖ Security often breaks at weakest link

Slide 5-2
The E-commerce Security Environment

Slide 5-3
Slide 5-4
The Tension Between Security and Other Values
◼ Ease of use
❖ The more security measures added, the more
difficult a site is to use, and the slower it
becomes
◼ Public safety and criminal uses of the
Internet
❖ Use of technology by criminals to plan crimes
or threaten nation-state

Slide 5-5
Security Threats in the E-commerce Environment

◼ Three key points of vulnerability in e-

commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)

Slide 5-6
A Typical E-commerce Transaction

Slide 5-7
Vulnerable Points in an E-commerce Transaction

Slide 5-8
Most Common Security Threats in the E-commerce Environment
◼ Malicious code (malware, exploits)
❖ Drive-by downloads
❖ Viruses
❖ Worms
❖ Ransomware
❖ Trojan horses
❖ Backdoors
❖ Bots, botnets
❖ Threats at both client and server levels

Slide 5-9
Most Common Security Threats in the E-commerce Environment

◼ Potentially unwanted programs (PUPs)

❖ Browser parasites
❖ Adware
❖ Spyware

◼ Phishing
❖ Social engineering
❖ E-mail scams
❖ Spear-phishing
❖ Identity fraud/theft

Slide 5-10
Most Common Security Threats in the E-commerce Environment
◼ Hacking
❖ Hackers vs. crackers
❖ Types of hackers: White, black, grey hats
❖ Hacktivism

◼ Cybervandalism:
❖ Disrupting, defacing, destroying Web site

◼ Data breach
❖ Losing control over corporate information to
outsiders

Slide 5-11
Most Common Security Threats in the E-commerce Environment

◼ Credit card fraud/theft

◼ Spoofing and pharming
◼ Spam (junk) Web sites (link farms)
◼ Identity fraud/theft
◼ Denial of service (DoS) attack
❖ Hackers flood site with useless traffic to
overwhelm network
◼ Distributed denial of service (DDoS) attack

Slide 5-12
Most Common Security Threats in the E-commerce Environment
◼ Sniffing
❖ Eavesdropping program that monitors
information traveling over a network
◼ Insider attacks
◼ Poorly designed server and client software
◼ Social network security issues
◼ Mobile platform security issues
❖ Vishing, smishing, madware
◼ Cloud security issues

Slide 5-13
 Technology Solutions
◼ Protecting Internet communications
❖Encryption
◼ Securing channels of communication
❖SSL, VPNs
◼ Protecting networks
❖Firewalls
◼ Protecting servers and clients

Slide 5-14
Tools Available to Achieve Site Security

Slide 5-15
 Encryption
◼ Encryption
❖ Transforms data into cipher text readable only by
sender and receiver
❖ Secures stored information and information
transmission
❖ Provides 4 of 6 key dimensions of e-commerce
security:
◼ Message integrity
◼ Nonrepudiation
◼ Authentication
◼ Confidentiality

Slide 5-16
 Symmetric Key Encryption
◼ Sender and receiver use same digital key to encrypt
and decrypt message
◼ Requires different set of keys for each transaction
◼ Strength of encryption
❖ Length of binary key used to encrypt data
◼ Data Encryption Standard (DES)
◼ Advanced Encryption Standard (AES)
❖ Most widely used symmetric key encryption
❖ Uses 128-, 192-, and 256-bit encryption keys
◼ Other standards use keys with up to 2,048 bits

Slide 5-17
 Public Key Encryption
◼ Uses two mathematically related digital keys
❖ Public key (widely disseminated)
❖ Private key (kept secret by owner)

◼ Both keys used to encrypt and decrypt message

◼ Once key used to encrypt message, same key
cannot be used to decrypt message
◼ Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it

Slide 5-18
Public Key Cryptography: A Simple Case

Slide 5-19
Public Key Encryption using Digital Signatures and
Hash Digests
◼ Hash function:
❖ Mathematical algorithm that produces fixed-
length number called message or hash digest
◼ Hash digest of message sent to recipient along with
message to verify integrity
◼ Hash digest and message encrypted with recipient’s
public key
◼ Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation
Slide 5-20
Public Key Cryptography with Digital Signatures

Slide 5-21
 Digital Envelopes
◼ Address weaknesses of:
❖ Public key encryption
◼ Computationally slow, decreased transmission speed,
increased processing time
❖ Symmetric key encryption
◼ Insecure transmission lines

◼ Uses symmetric key encryption to encrypt

document
◼ Uses public key encryption to encrypt and send
symmetric key

Slide 5-22
Creating a Digital Envelope

Slide 5-23
 Digital Certificates and Public Key Infrastructure (PKI)
◼ Digital certificate includes:
❖ Name of subject/company
❖ Subject’s public key
❖ Digital certificate serial number
❖ Expiration date, issuance date
❖ Digital signature of CA (certification authority)

◼ Public Key Infrastructure (PKI):

❖ CAs and digital certificate procedures
❖ PGP (e-mailpublic key encryption software tool)
❖ PGP=Pretty Good Privacy
Slide 5-24
Digital Certificates and Certification Authorities

Slide 5-25
 Limits to Encryption Solutions
◼ Doesn’t protect storage of private key
❖ PKI not effective against insiders, employees
❖ Protection of private keys by individuals may
be haphazard
◼ No guarantee that verifying computer of
merchant is secure
◼ CAs are unregulated, self-selecting
organizations

Slide 5-26
 Securing Channels of Communication
◼ Secure Sockets Layer (SSL)/Transport
Layer Security (TLS)
❖ Establishes secure, negotiated client–server
session
◼ Virtual Private Network (VPN)
❖ Allows remote users to securely access
internal network via the Internet
◼ Wireless (Wi-Fi) networks
❖ WPA2 (Wireless security standard)

Slide 5-27
Secure Negotiated Sessions Using SSL/TLS

Slide 5-28
 Protecting Networks
◼ Firewall
❖ Hardware or software
❖ Uses security policy to filter packets
❖ Two main methods:
◼ Packet filters
◼ Application gateways
◼ Proxy servers (proxies)
❖ Software servers that handle all
communications from or sent to the Internet
◼ Intrusion detection systems
◼ Intrusion prevention systems
Slide 5-29
Firewalls and Proxy Servers

Slide 5-30
 Protecting Servers and Clients
◼ Operating system security
enhancements
❖ Upgrades, patches

◼ Anti-virus software
❖ Easiest and least expensive way to prevent
threats to system integrity
❖ Requires daily updates

Slide 5-31
Management Policies, Business Procedures, and Public Laws
◼ Worldwide, companies spend more than
$65 billion on security hardware,
software, services
◼ Managing risk includes:
❖ Technology
❖ Effective management policies
❖ Public laws and active enforcement

Slide 5-32
A Security Plan: Management Policies
◼ Risk assessment
◼ Security policy
◼ Implementation plan
❖ Security organization
❖ Access controls
❖ Authentication procedures, including biometrics
❖ Authorization policies, authorization management
systems
◼ Security audit

Slide 5-33
Developing an E-commerce Security Plan

Slide 5-34
 The Role of Laws and Public Policy
◼ Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
❖ National Information Infrastructure Protection Act of
1996
❖ USA Patriot Act
❖ Homeland Security Act

◼ Private and private-public cooperation

❖ CERT Coordination Center
❖ US-CERT

◼ Government policies and controls on encryption

software
❖ OECD, G7/G8, Council of Europe, Wassener Arrangement

Slide 5-35