E-commerce Security and Payment

Systems

Dr. Mayank Yadav

Assistant Professor
School of Management
National Institute of Technology Rourkela
Learning Objectives
5.1 Understand the scope of e-commerce crime and security problems, the key
dimensions of e-commerce security, and the tension between security and other
values.

5.2 Identify the key security threats in the e-commerce environment.

5.3 Describe how technology helps to secure Internet communications channels

and protect networks, servers, and clients.

5.4 Appreciate the importance of policies, procedures, and laws in creating

security.

5.5 Identify the major e-commerce payment systems in use today.

 Cybersecurity Challenges in E-
Commerce
Vulnerability of Internet Systems: Systems that rely on the Internet are
increasingly exposed to large-scale attacks, highlighting a significant security
concern.
Global Criminal Organizations: Organized gangs of criminals are
increasingly leading these attacks, reflecting an unintended consequence of
globalization.
Nation-Sponsored Threats: There is a growing number of large-scale attacks
on critical infrastructure and companies that are orchestrated and funded by
various nations, raising the stakes for cybersecurity.
Challenges in Anticipating Attacks: Both businesses and government
organizations find it challenging to anticipate and counter these sophisticated
attacks, indicating a need for improved security measures.
Focus on E-Commerce Security: The chapter will explore security risks in e-
commerce, detailing available solutions and examining major payment methods
to ensure a secure payment environment.
 WHAT’S NEW IN E-COMMERCE
SECURITY 2022–2023
Increased Security Challenges Post-Pandemic: The Covid-19 pandemic has
intensified security issues, including remote employee access vulnerabilities, rising
phishing incidents, and challenges in handling increased e-commerce traffic securely.

Rising Mobile and Cryptocurrency-Related Threats: Mobile malware is becoming

a major threat as mobile payments grow, while hacking related to cryptocurrencies has
also seen a significant rise.

Escalating Cyberwarfare and DDoS Attacks: The Russia-Ukraine conflict has led to
an increase in cyberwarfare, with DDoS attacks now capable of slowing down Internet
services at a national level.

Focus on Social Networks and Hacktivism: Hackers are targeting social networks
for social engineering attacks, while politically motivated hacktivist groups are
merging with financially motivated criminals to target financial systems.

Software Vulnerabilities and Supply Chain Attacks: Vulnerabilities such as Log4j

and zero-day exploits, along with increasing software supply chain attacks like the
SolarWinds incident, are major ongoing security threats.
 THE E-COMMERCE SECURITY ENVIRONMENT

Promise of a Global Marketplace: The Internet offers law-

abiding users a convenient global marketplace for people,
goods, services, and businesses.

Opportunities for Criminal Activity: For criminals, the

Internet provides lucrative opportunities to steal products,
money, and information from over 4.5 billion users, often
with reduced risk compared to physical theft.
Anonymity and Vulnerability: The potential for anonymity
allows criminals to impersonate others or commit fraud, and
the open design of the Internet lacks basic security features
found in older, more secure networks.
Costs of Cybercrime: Cybercriminal actions impose
significant costs on businesses and consumers, including
higher prices, increased security measures, and recovery
expenses from cyberattacks.
Impact on Trust and Business: Cyberattacks lead to
reputational damage, reduced trust in online activities, loss of
sensitive information, and opportunity costs due to service
disruptions.
 THE SCOPE OF THE PROBLEM
 Growing Cost of Cybercrime: Cybercrime is a major issue for
organizations and consumers, with estimated global costs of over $1 trillion
in 2020, increasing to more than $6 trillion in 2021, and expected to reach
$11 trillion by 2025.
 Underreporting and Quantification Challenges: Many companies are
hesitant to report cybercrimes due to fear of losing customer trust, and even
when reported, quantifying the exact financial loss can be challenging.
 High Costs of Data Breaches: Data breaches are one of the most common
types of cybercrime, with an average cost of $4.2 million per breach
globally, rising to $9 million in the U.S., with healthcare and financial
services among the most affected sectors.
 Underground Economy Marketplaces: Stolen information is often sold in
underground marketplaces, such as the Dark Web, where data like credit
card details, bank login credentials, and personal information are traded at
varying prices.
 Dynamic and Evolving Threat Landscape: Cybercrime is continuously
evolving with new risks emerging daily, requiring e-commerce managers to
stay up to date with the latest security techniques to protect against various
criminal threats.
Concept of Good E-commerce Security
Common Risks in E-Commerce: E-commerce shares many of the risks found in traditional
commerce, including theft, fraud, and vandalism, but these take place in a digital
environment.

Multi-Layered Security Approach: Effective e-commerce security involves a combination of

technologies, organizational policies, procedures, and industry standards or government
laws to reduce risks.

Role of Laws and Policies: Security technologies alone are insufficient; organizational
policies and procedures must ensure proper implementation, while laws and industry
standards are needed for enforcement and prosecution of offenders.

Balance Between Cost and Security: Security must be balanced with costs, as absolute
security is impossible; instead, it is often sufficient to protect information for a specific
period of time, considering its time value.

Weakest Link Principle: Security is only as strong as its weakest link, meaning that proper
management of all security measures—including technologies, keys, and processes—is
essential for a secure e-commerce environment.
THE E-COMMERCE SECURITY ENVIRONMENT
The Dimensions of E-commerce Security
Integrity:
Ensures information is not altered by unauthorized parties during transmission or
display.
Nonrepudiation: Ensures participants cannot deny their online actions or
transactions.

Authenticity: Confirms the identity of individuals or entities involved in e-

commerce interactions.

Confidentiality: Ensures that only authorized individuals can access messages and
data.

Privacy: Controls the use of personal information shared with e-commerce

merchants.

Availability: Ensures e-commerce sites or apps function properly and remain

accessible.
CUSTOMER AND MERCHANT PERSPECTIVES ON THE
DIFFERENT DIMENSIONS OF E-COMMERCE SECURITY
SECURITY THREATS IN THE E-COMMERCE
ENVIRONMENT

Vulnerability Points: Key vulnerabilities exist at the client, server,

and communication pipeline levels.

Common Threats: Include malicious code, phishing, hacking, data

breaches, and credit card fraud/theft.

Cyber Attacks: Threats such as spoofing, pharming, DoS/DDoS

attacks, and sniffing pose significant risks.

Emerging Issues: Security challenges also arise from social networks,

mobile platforms, cloud computing, IoT, and the metaverse.
VULNERABLE POINTS IN AN E-COMMERCE
TRANSACTION
 About Malicious Code
Definition and Types of Malicious Code:

Malicious code (malware) includes threats like viruses, worms, ransomware, Trojan horses, and bots.

Exploits target software vulnerabilities in operating systems, web browsers, and applications.

Intent and Evolution:

Originally created by amateur hackers to impair computers.

Increasingly used by organized groups or nation-state-supported actors to steal sensitive information.

Exploit Kits and Methods of Distribution:

Exploit kits are bundles of exploits sold as commercial products, often requiring minimal technical skill
to use.
Malware is delivered through email attachments, malicious links, drive-by downloads, and malvertising.

Common methods include embedding malware in PDFs or through online advertising networks
(malvertising).
 Different Types of Malware

Virus: Replicates itself and delivers a payload, which can be

benign or destructive.
Worm: Spreads from computer to computer; does not require
user activation (e.g., Slammer and Conficker worms).
Ransomware: Encrypts files and demands ransom for decryption
(e.g., Cryptolocker, WannaCry).
Trojan Horse: Appears benign but contains malicious code (e.g.,
Zeus, Emotet).
Bots: Covertly installed on computers to form botnets, used for
malicious activities such as DDoS attacks.
 Different Types of Malware
Malware Threat Levels:

Threats exist at both client and server levels.

Server attacks are less frequent but can take down entire websites,
whereas client-level attacks are more common and spread easily.
Countermeasures and Security Improvements:

Ad blockers can prevent malvertising.

Major browsers and companies are blocking autoplaying ads and

moving away from Adobe Flash, favoring HTML5.
Governments and industry leaders collaborate to fight botnets, with
varying success.
NOTABLE EXAMPLES OF
MALICIOUS CODE
Malware: Difference Between Computer
Viruses, Worms and Trojans

https://www.youtube.com/watch?v=n8mbzU0X2nQ
 Phishing
Social Engineering and Phishing:

Social engineering exploits human emotions (curiosity, greed, gullibility, fear) to

trick individuals into granting hackers access to computer systems or
downloading malware.
Example: In 2021, Robinhood experienced a data breach due to a social
engineering attack where a hacker convinced a support representative to install
remote access software.
Definition and Tactics of Phishing:

Phishing involves deceptive attempts by third parties to obtain confidential

information for financial gain.

It typically relies on social engineering rather than malicious code.

A common example is the "Nigerian letter" scam, which has become more
sophisticated over time.
 Phishing
Business Email Compromise (BEC):

A variation of Nigerian letter scams where attackers pose as high-

level employees and request fund transfers to fraudulent accounts.
BEC phishing often targets payroll or HR personnel for sensitive
employee information.
Global losses from BEC phishing exceeded $43 billion between
2016 and 2021.
Spear Phishing:

Attackers send emails pretending to be from trusted organizations,

targeting known customers to obtain account information.
Millions of phishing emails are sent daily, with LinkedIn being
the most imitated brand in early 2022.
 Phishing
Phishing Tactics:

Phishers use email, social media, and text messaging to deceive recipients into giving
out personal information.

Fake chatbots are used to build trust.

Phishing websites often "spoof" legitimate institutions and may install malware, such
as keyloggers, on victims' devices.

Example: Meta's lawsuit in 2021 targeted phishing schemes involving 39,000 fake
websites intended to deceive users into sharing login credentials.

Impact of Phishing:

Phishers gather personal information to commit fraudulent acts, including charging

items to credit cards, withdrawing funds from bank accounts, and identity fraud.
DMARC.org and Phishing Prevention
DMARC.org is an initiative involving major email
providers and financial services to combat email spoofing.

DMARC (Domain-based Message Authentication,

Reporting, and Conformance) protocol authenticates email
origins and prevents spoofing.

Adoption of DMARC is growing, with over 75% of Fortune

500 companies using it, though full enforcement is limited.

Given the rise in BEC phishing, more companies are

expected to adopt DMARC.
 HACKING, CYBERVANDALISM, AND HACKTIVISM

Definition of Hackers and Crackers:

A hacker is someone who gains unauthorized access to computer systems.

In the hacking community, "cracker" refers to a hacker with criminal intent, though
in public, both terms are often used interchangeably.
Hackers and crackers exploit security weaknesses to gain access to websites and
systems.
Evolution of Hacking Intent:

Previously, hackers were often enthusiasts interested in the challenge of breaking

into systems.
Today, many hackers have malicious intent, such as disrupting, defacing
(cybervandalism), or stealing data for financial gain (data breach).
During the Covid-19 pandemic, "Zoombombing" became a new form of
cybervandalism, where hackers disrupted Zoom meetings with offensive content.
 Hacktivism

Hacktivism combines hacking with political motives.

Hacktivists attack governments, organizations, and individuals

using tactics like cybervandalism, DDoS attacks, data thefts, and
doxing.

They believe in free information sharing and often expose secret

information as part of their mission.

Notorious hacktivist groups include WikiLeaks, LulzSec,

Anonymous, and the Shadow Brokers (responsible for releasing
NSA hacking tools used in the WannaCry ransomware attack).
Ethical Hacking:

Organizations hire ethical hackers to test their security by attempting to

break into their systems.

Ethical hackers operate under agreements to avoid prosecution and are

sometimes rewarded with monetary "bug bounties."

Major tech companies (e.g., Apple, Microsoft, Intel) and blockchain firms
offer bounties to hackers who discover vulnerabilities in their systems.

Hackers Seeking Prestige:

Some hackers seek prestige rather than financial gain by discovering and
publishing security flaws without causing disruption.

Their actions can be controversial, as publicizing flaws may help other

criminals exploit the system.
What Is Ethical Hacking?
https://www.youtube.com/watch?v=XLvPpirlmEs
DATA BREACHES
Definition of Data Breach
•A data breach occurs when an
organization loses control over corporate
information, including personal data of
customers and employees, to unauthorized
outsiders.
2021 Data Breach Statistics
•In 2021, there were 1,862 data breaches,
impacting over 293 million people—a
68% increase from 2020.
•Malicious attacks (e.g., phishing,
ransomware) caused over 85% of
breaches, while human/system errors
caused about 10%.
•More than 80% of breaches involved
sensitive records, such as full names and
Social Security numbers.
Credential Stuffing Attacks

Data breaches enable credential stuffing, a type of brute force attack where hackers use botnets
and automated tools to exploit known usernames and passwords from breached data.

Credential stuffing is especially prevalent in financial services, with over 193 billion attacks
observed in 2020.

Notable Data Breaches

Yahoo: Exposed data of 3 billion users, making it the largest breach in history.

Marriott International: Exposed personal data of nearly 400 million customers through its
Starwood reservation system.

Equifax: Unpatched software allowed access to data of about 147 million U.S. consumers.

T-Mobile (2021): Exposed personal records of over 50 million customers in its third major data
breach in two years.
 CREDIT CARD FRAUD/THEFT
Fear and Prevention of Credit Card Theft
•Theft of credit card data online is a major concern, discouraging users from
making online purchases.
•Merchants use techniques such as automated fraud detection, manual order
reviews, and additional security checks (e.g., CVV codes) to combat fraud.
Liability and Costs of Credit Card Fraud
•U.S. federal law limits individual liability to $50 for fraudulent charges.
•Credit card companies and merchants often bear losses, leading to higher
interest rates and prices to cover costs.
Shift to EMV Technology

The U.S. is transitioning to EMV credit cards with computer chips, which are more secure
than magnetic strips.
EMV cards support contactless payments but cannot fully prevent data breaches.

Causes of Credit Card Fraud

Previously, fraud was caused by lost/stolen cards, employee theft, and stolen identities.

Today, hacking and looting of corporate servers holding credit card information is the
leading cause.
Identity Verification Challenges

Establishing a customer’s identity online is challenging, posing higher risks for e-commerce.

U.S. federal laws, like the E-Sign Act, give digital signatures legal authority, supporting the
use of e-signatures in various sectors.
E-signature solutions like DocuSign and Adobe Sign use multi-factor authentication and
encryption to verify identities.
 IDENTITY FRAUD
•Unauthorized Use: Involves unauthorized use of personal data, like social
security and credit card numbers, for illegal financial benefit.
•Financial Gain: Criminals use identity fraud to obtain loans, purchase
merchandise, or access services.
•Fraud Techniques: Techniques such as spyware, phishing, data breaches,
and credit card theft are employed for identity fraud.
•Consumer Loss: In 2021, about 15 million U.S. consumers suffered identity
fraud, resulting in $24 billion in losses.
•Account Fraud: New account fraud rose by over 100%, and account
takeover losses increased by 90% in 2021.
SPOOFING, PHARMING, AND SPAM (JUNK)
WEBSITES
Spoofing Identity: Involves hiding a true identity by using someone
else's email or IP address.

Pharming Redirection: Automatically redirects web links to unintended

addresses, masquerading as the intended site.

Spam Websites: Junk websites that promise products or services but are
mostly filled with advertisements.

Sniffer Monitoring: A program that eavesdrops by monitoring

information traveling over a network.

Threat Integrity: Spoofing and pharming do not damage files but

threaten site integrity and authenticity.
SNIFFING AND MAN-IN-THE-MIDDLE ATTACKS

Network Eavesdropping: Sniffers monitor information on a network,

potentially stealing passwords, emails, and confidential data.

Legitimate vs Malicious: Sniffers can be used for network

troubleshooting or for criminal purposes.

Active Interception: Man-in-the-middle attacks actively intercept

communications between two parties.

Communication Control: Attackers in MitM attacks can alter the

contents of intercepted communications.
DENIAL OF SERVICE (DoS) AND DISTRIBUTED
DENIAL OF SERVICE (DDoS) ATTACKS
Flooding Websites: DoS attacks involve flooding a website with a high volume of useless
pings or page requests, which overwhelms the site's servers and results in shutdowns, making
it inaccessible to users. This disruption is especially costly for e-commerce sites that lose
sales and suffer reputation damage during outages.

Distributed Attacks: In a Distributed Denial of Service (DDoS) attack, hackers use botnets
composed of thousands of compromised computers to launch coordinated attacks from
multiple points, making the attack harder to mitigate. These attacks can indefinitely shut
down a target network, causing significant operational damage.

IoT Vulnerability: The growing number of Internet of Things (IoT) devices has created new
vulnerabilities, as hackers use these connected devices to form botnets for launching DDoS
attacks. High-profile examples include the Mirai botnet, which took down major websites by
overwhelming their servers with traffic from infected IoT devices.

Smokescreening: DDoS attacks are often used as a diversion while hackers carry out more
harmful activities, such as inserting malware or stealing data. The chaos of a DDoS attack
can distract security teams, allowing attackers to infiltrate systems unnoticed.
 INSIDER ATTACKS
Internal Threats: Insider attacks pose the largest financial threat to businesses,
often surpassing external attacks such as robberies. Employees with access to
sensitive data can embezzle funds or misuse information, resulting in significant
financial damage.

Increasing Incidents: The frequency and costs of insider attacks have risen
significantly. According to a Proofpoint/Ponemon Institute survey, the average
annual cost of insider threats increased by over 33% to $15.4 million between
2019 and 2021, highlighting their growing impact on organizations.

Access to Privileged Information: Insiders often have unrestricted access to an

organization's systems, and inadequate internal security measures allow them to
move without leaving a trace. This access makes it easier for employees to steal
data or disrupt services without detection.

Unintentional Data Breaches: Not all insider incidents are malicious; some are
accidental due to user carelessness. Unintentional data breaches can still be highly
damaging, making it crucial for companies to address both intentional and
accidental risks.
 POORLY DESIGNED SOFTWARE
SQL Injection Vulnerabilities: Poorly coded software, especially in web applications,
can be vulnerable to SQL injection (SQLi) attacks. SQLi exploits improper input
validation, allowing attackers to inject malicious code and gain unauthorized access to
databases.

Complexity and Time Pressures: Increasing software complexity and market

pressures for timely delivery have led to a rise in software flaws, making systems more
vulnerable to security threats.

Frequent Vulnerabilities: Each year, thousands of vulnerabilities are identified in

software, ranging from web browsers to mobile operating systems. In 2021, the US-
CERT National Vulnerability database recorded over 18,000 software vulnerabilities,
underscoring the widespread risks in software.

Zero-Day Vulnerabilities: Zero-day vulnerabilities are previously unknown software

flaws that have no existing patch. These vulnerabilities are considered one of the
biggest security risks, as they are exploited before a fix is available, often causing
significant harm.

Open Communication Ports: Many operating systems have open communication

ports, such as TCP port 445 or port 443, which are prone to attacks. Given the design
objectives, even operating systems like Linux and Macintosh contain exploitable
vulnerabilities.
 SOCIAL NETWORK SECURITY ISSUES
Rich Environment for Attacks: Social networks such as Facebook, Instagram, and Twitter
provide fertile ground for hackers to conduct various attacks, including identity fraud, phishing,
and click hijacking.

Social Engineering Attacks: Many attacks on social networks exploit social engineering,
tricking users into clicking malicious links, sharing information, or installing malware through
deceptive tactics like fake events, fake apps, or reactions.

Notorious Incidents: In 2020, hackers took over prominent Twitter accounts via a social
engineering hack and posted a Bitcoin scam, showcasing the vulnerabilities of social networks
to such attacks.

Ineffective Policing by Platforms: Social networks have been poor at preventing these attacks,
as they often fail to adequately remove malicious accounts and do not certify apps as malware-
free, leaving users vulnerable.
MOBILE PLATFORM SECURITY ISSUES
Malware and Vulnerabilities:
Increased Exposure: Mobile
Mobile malware, especially on
devices are loaded with
Android devices, is prevalent
personal and financial
due to poorly regulated third-
information, making them
party app stores. Android and
prime targets for hackers.
iOS are susceptible to
Users often underestimate the
malicious apps, spyware like
vulnerabilities in smartphones
Pegasus, and browser-based
compared to computers.
malware.
Smishing Attacks: SMS
Wi-Fi and SIM Card
phishing (smishing) attacks
Threats: Public Wi-Fi
exploit users' trust in text
networks and flaws in SIM
messages, directing them to
cards create vulnerabilities,
malicious sites, while SMS
allowing attackers to intercept
spoofing conceals attackers'
data or gain access to devices.
identities.
 CLOUD SECURITY ISSUES

•DDoS Attacks: Cloud services are vulnerable to

Distributed Denial-of-Service (DDoS) attacks,
which threaten their availability. The DDoS attack
on Dyn is an example that caused significant
disruptions to cloud services in the U.S.
•Hybrid Network Vulnerabilities: Companies
using a mix of public clouds, private clouds, and
on-premises systems are at higher risk due to the
complexity of managing security across multiple
environments.
•Public Cloud Data Security: Safeguarding data
in public cloud environments is a major
challenge, with more than 25% of organizations
experiencing security incidents in 2021.
•Responsibility Gaps: Many organizations rely
on cloud providers for security and do not take
full responsibility for protecting their sensitive
data, increasing the risk of breaches.
INTERNET OF THINGS SECURITY CHALLENGES
 METAVERSE SECURITY ISSUES

Malware and Exploitation of New Endpoints: As the metaverse expands,

malware is likely to target the virtual reality environment, including hardware
used in VR/AR platforms, creating new vulnerabilities for hackers to exploit.

Physical and Psychological Threats: Attackers could manipulate virtual

platforms to create physical dangers, while malicious actors might harass
participants, posing both physical and psychological risks.

Identity and Digital Currency Theft: The metaverse is susceptible to identity

theft and the theft of digital currencies used for transactions, similar to current
Internet security issues.

Privacy Concerns: Metaverse platforms may collect and store biometric data,
behavioral patterns, and personal information, raising serious privacy and data
security concerns.
 Protecting Internet Communications
Public Nature of Internet Communications:
•E-commerce transactions pass through many routers and servers, posing security threats.
•Unlike private networks, public networks lack dedicated communication lines,
increasing vulnerability.

TOOLS
AVAILABLE TO
ACHIEVE E-
COMMERCE
SECURITY
 Encryption
• Definition: Process of converting plain text into unreadable cipher text.

• Purpose:
– Secure stored information.
– Secure information during transmission.

• Security Dimensions Provided by Encryption:

– Message Integrity: Assures that the message is not altered.
– Nonrepudiation: Prevents denial of message transmission.
– Authentication: Verifies sender's identity.
– Confidentiality: Ensures message cannot be read by others.

• Types of Ciphers:

1. Substitution Cipher: Each letter is replaced systematically by another letter

(e.g., "Hello" becomes "JGNNQ").

2. Transposition Cipher: Rearranges letters in a systematic way (e.g., "Hello"

becomes "OLLEH").
 Symmetric Key Cryptography
Definition: Both sender and receiver use the same secret key to encrypt and decrypt
messages. The key must be exchanged through a communication medium or in person.
Historical Use and Modern Application: Extensively used during World War II and
remains part of modern Internet cryptography.
Challenges:
•Key Sharing: Both parties must share the same key, which can be risky if sent over
insecure channels.
•Security Risks: If the key is lost or stolen, the entire encryption system is
compromised.
•Scalability: Requires a unique key for each communication partner, leading to
impractical numbers of keys for large user populations.
Digital Encryption: Uses binary strings to transform text. The strength of encryption
depends on the key length; modern keys use 128, 256, or 512 bits to resist brute-force
attacks.
Encryption Standards:
•DES (Data Encryption Standard): Uses a 56-bit key, developed in the 1950s by NSA
and IBM.
•Triple DES: Enhances DES by encrypting data three times.
•AES (Advanced Encryption Standard): The most widely used today, with key sizes of
128, 192, and 256 bits.
 Public Key Cryptography
Definition: Uses two mathematically related keys—a public key and a
private key. The public key is widely disseminated, while the private key
is kept secret by the owner.

Key Exchange Solution: Solves the problem of exchanging keys by

allowing either the public or private key to be used for encryption, while
the other key is used for decryption.

Irreversible Mathematical Functions: Based on one-way mathematical

algorithms, which make it computationally infeasible to derive one key
from the other.

Security Strength: The keys are long (128, 256, 512 bits), making it
difficult for even the largest and fastest computers to crack the encryption.
Public Key Cryptography Using Digital
Signatures and Hash Digests
Limitations of Public Key Cryptography: Lacks authentication,
nonrepudiation, and integrity, meaning the sender's identity is not verified, they
could deny sending the message, and the message could be altered in transit.

Hash Function: A hash function is used to create a message digest, a fixed-

length number that uniquely represents the message, to check its integrity and
ensure it has not been altered during transit.

Message Encryption: The sender encrypts both the original message and its
hash using the recipient's public key, ensuring confidentiality.

Digital Signature: To achieve authentication and nonrepudiation, the sender

encrypts the entire cipher text block with their private key, creating a digital
signature that ensures the message's authenticity.
Digital Certificates and Public Key
Infrastructure (PKI)
Digital Identity Verification Issue: Public key cryptography alone doesn't
verify that individuals or institutions are who they claim to be, which
raises the need for identity authentication.

Digital Certificates: Digital certificates, issued by trusted third-party

certification authorities (CAs), provide a way to verify digital identities,
including a subject's name, public key, and other identifying information.

Certification Authorities (CAs): Trusted entities, such as VeriSign or

government agencies, issue digital certificates and can verify the
authenticity of individuals and institutions.

Public Key Infrastructure (PKI): PKI encompasses CAs and digital

certificate procedures that are widely accepted, providing a framework for
secure, verifiable communication online.
DIGITAL CERTIFICATES AND CERTIFICATION
AUTHORITIES
 Securing Channels of Communication

TLS and HTTPS: TLS (Transport Layer Security) replaced SSL (Secure Sockets Layer) as
the protocol for secure communication over the Internet. HTTPS (Secure Sockets Layer) uses
TLS to encrypt data and verify the server identity, providing a secure version of HTTP.

Digital Certificates: TLS uses digital certificates to authenticate server identities, ensuring
users are communicating with legitimate entities, especially during sensitive transactions like
online shopping.

Secure Negotiated Session: During communication, TLS establishes a secure session using
a unique session key for encryption, ensuring data confidentiality and integrity between the
browser and server.

Handshake Process: The handshake involves exchanging digital certificates and agreeing on
a session key, which is used to encrypt data for that particular session, ensuring privacy and
data security.

Server and Client Authentication: TLS primarily ensures server authentication, providing
assurance that users are communicating with a verified server. Client authentication is
optional.

HSTS and HTTPS Adoption: HTTP Strict Transport Security (HSTS) ensures that browsers
use HTTPS for secure communication. Today, about 80% of websites use HTTPS by default,
improving overall Internet security.
 Virtual Private Networks (VPNs)
Secure Remote Access: VPNs allow remote users to securely connect to a local network
via the Internet, providing a safe way to access private resources from anywhere.

Authentication and Encryption: VPNs use both authentication to verify users'

identities and encryption to secure data, ensuring confidentiality and data integrity.

Tunneling Process: The process of connecting one protocol through another is called
"tunneling." It creates a secure "tunnel" by wrapping messages in an encrypted layer,
making it inaccessible to unauthorized viewers.

Virtual Secure Line: Although VPNs provide a secure connection, they are "virtual" in
the sense that they are not dedicated, but rather temporary secure connections that
appear like private lines to users.

Cost-Effective Solution: VPNs provide a less expensive alternative to dedicated secure

connections, making them ideal for secure communications between businesses,
partners, or employees working remotely.

Popularity with Remote Work: The use of VPNs has surged due to the increase in
remote work, providing a reliable solution for maintaining security and connectivity for
distributed teams.
Security Issues of Wireless (Wi-fi) Networks
Early Wi-Fi Security (WEP): Early Wi-Fi networks used Wired
Equivalent Privacy (WEP) for encryption, which was weak and easily
compromised by hackers.

Improvement with WPA: Wi-Fi Protected Access (WPA) was introduced

to replace WEP, offering better security, though it too was eventually found
vulnerable to attacks.

Enhanced Security with WPA2: In 2004, WPA2 was introduced, utilizing

the AES encryption algorithm and CCMP for stronger authentication,
improving Wi-Fi security significantly.

Introduction of WPA3: In 2018, WPA3 was released, adding a more

secure key exchange protocol, improved IoT security, and enhanced
encryption for public networks, addressing many WPA2 weaknesses.

WPA3 Vulnerabilities: Despite improvements, WPA3 still has

vulnerabilities that could allow attackers to recover passwords, highlighting
ongoing challenges in Wi-Fi security.
 Protecting Networks (Firewalls)
Firewalls for Network Protection: Firewalls, either hardware or software, are used
to filter communication packets, preventing unauthorized access to networks based
on security policies, thus protecting servers and clients.
Firewall Functions: Firewalls control incoming and outgoing traffic by filtering
based on attributes like IP address, port type, and type of service. They allow
connections only from trusted sources and block untrusted ones.
Default Settings in Hardware Firewalls: Many hardware firewalls come with
default settings to block commonly attacked ports like TCP port 445, which helps to
reduce the risk of cyberattacks.
Packet Filters: Packet filters are a firewall method that examines data packets to
determine whether they should be allowed or blocked based on attributes like
source/destination IP addresses or port information.
Application Gateways: Application gateways filter communication based on the
application being requested rather than just the packet details, offering greater
security at the cost of potentially reducing system performance.
Next-Generation Firewalls: These firewalls use an application-centric approach,
identifying applications regardless of port or protocol, decrypting TLS traffic, and
protecting in real time against embedded threats.
 Proxy Servers
Proxy Servers as Gatekeepers: Proxy servers are software servers that manage
all communications between internal clients and the Internet, acting as a security
buffer for the organization.

Dual-Home Systems: Proxy servers are sometimes called dual-home systems due
to their two network interfaces. They serve as a gateway for internal users and act
as a mail server or numeric address for external systems.

Request Handling: When users request web pages, the proxy server validates the
request before allowing it to proceed to the Internet, thereby controlling access
and filtering unwanted websites.

Restricting Direct Internet Access: By disallowing direct communication

between internal clients and the Internet, proxy servers enable companies to block
access to certain site categories like auction, pornographic, or stock-trading sites.

Web Performance Improvement: Proxy servers enhance network performance

by storing frequently accessed web pages locally, reducing page load times and
obscuring internal IP addresses, which improves security against external threats.
FIREWALLS AND PROXY SERVERS
Protecting Servers and Clients: Enhancing Security Through
OS and Software Updates
Automatic Security Upgrades: Operating systems such as Microsoft, Apple, and
Linux/Unix provide continuous updates to patch vulnerabilities discovered by hackers,
helping to protect both servers and clients.
Autonomic Patching: These updates are autonomic, meaning users are automatically
informed about security patches available for download, ensuring timely protection
against newly discovered threats.
Importance of Keeping Software Updated: Regular updates for both operating
systems and applications (e.g., web browsers) are vital to prevent malware and keep
servers and clients secure.
Application Software Security: Similar to operating systems, application
vulnerabilities are also addressed through automated software updates, reducing
exposure to threats without much user intervention.
Automated Updates Not Foolproof: While automated software updates significantly
enhance security, they are not completely foolproof and can still be vulnerable to
certain sophisticated threats.
Software Supply Chain Attacks: Hackers increasingly target development
environments to introduce malware into software, which is later downloaded by users,
making it crucial to ensure updates come from secure sources.
 Anti-Virus Software
Inexpensive Protection: Anti-virus software, such as those by
Malwarebytes, McAfee, and Norton, provides affordable tools to
detect and remove common malicious code, protecting system
integrity.

Proactive Email Scanning: Anti-virus programs can be configured

to scan email attachments before opening, eliminating threats if a
known virus or worm is detected.

Regular Updates Needed: Anti-virus software must be updated

frequently, often daily or even hourly, to guard against new and
emerging viruses.

Additional Security Features: Premium anti-virus suites can also

remove other security threats like bot programs, adware, and
malicious intruders using signature detection methods.
 Management Policies, Business Procedures, and
Public Laws: Key Points

Security Spending Growth: In 2022, global spending on security

hardware, software, and services is expected to reach $300 billion,
representing a 15% increase from the previous year.

Technology is Not Enough: CEOs and CIOs recognize that technology

alone cannot manage e-commerce security risks; effective management
policies are crucial for making the technology work.

Importance of Management Policies: Proper management policies

help protect against vulnerabilities, ensuring that even advanced
security technologies are effectively utilized.

Role of Public Laws: Public laws and cybercrime enforcement play a

significant role in increasing the cost of illegal online activities and
preventing corporate misuse of data.
 Security Plan: Key Management Policies

Risk Assessment: Identify and evaluate the risks and

vulnerabilities for information assets. Rank these assets by
their value to the company to prioritize security measures
effectively.

Security Policy Development: Create a security policy that

prioritizes risks, identifies acceptable risk levels, and outlines
the mechanisms for addressing these risks, starting with the
most critical assets.

Implementation Plan: Develop a detailed plan specifying the

tools, technologies, policies, and procedures needed to meet
the goals set out in the security policy.

Security Organizational Unit: Establish a dedicated unit, led

by a security officer, responsible for managing security on a
daily basis and ensuring the protection of information assets.

Access Control Management: Implement access controls for

both internal and external users. Use firewalls, proxy servers,
and login credentials to manage legitimate access to the
network.
 Conti…..
Authentication Procedures: Use multi-factor
authentication (MFA) tools, including digital signatures
and PKI, to securely verify user identities and protect
sensitive information.
Biometric Authentication: Incorporate biometric
devices such as fingerprint or facial recognition scans
into MFA to add an extra layer of security against
unauthorized access.

Security Tokens: Utilize security tokens, like RSA’s

SecurID, to generate additional security credentials,
making it harder for unauthorized users to gain access.

Zero Trust (ZT) Framework: Implement the Zero

Trust framework to maintain strict access controls by
default, not trusting any entity inside or outside the
network without verification.
Authorization Policies: Define authorization policies
to manage user access based on roles, restricting access
to only the necessary parts of the company’s
infrastructure.
 Conti…..
Authorization Management Systems: Encrypt user sessions
to create a passkey system that grants access only to specific
areas as authorized, ensuring controlled information flow.

Security Audit: Regularly perform security audits by

reviewing access logs and identifying unusual activity.
Produce monthly reports to highlight any security issues.

Ethical Hacking: Use ethical hackers to test and strengthen

existing security measures, helping identify vulnerabilities and
bolster defenses.

User Education and Awareness: Educate users about

potential security threats and train them in best practices,
contributing to overall security awareness and reducing risks.

Budget Allocation: Secure a sufficient budget to support the

security team, purchase tools, and maintain the technologies
needed to manage security risks effectively.
DEVELOPING AN E-COMMERCE SECURITY PLAN
 The Role of Laws and Public Policy in E-commerce
Evolving Regulatory Landscape: Unlike the early days of e-commerce, the internet
is now governed by a set of laws and public policies aimed at ensuring fair and
orderly online markets.
Global Public Policy Environment: The development of internet regulations has
become increasingly global, mirroring the growth of e-commerce, with cross-border
enforcement to tackle cyberattacks effectively.
Expansion of Law Enforcement: Since 1995, the expansion of e-commerce has
prompted the development of new laws and increased law enforcement efforts to
identify, trace, and prosecute cybercriminals.
Mandatory Data Breach Disclosure: Many states require companies to disclose data
breaches affecting residents, with additional requirements for data security practices,
exemplified by New York's SHIELD Act.
Federal Trade Commission (FTC) Oversight: The FTC actively enforces data
security practices by corporations, having brought numerous cases against companies
for improper data handling between 2002 and 2021.
Legislative Measures for Cybersecurity: Laws like the Patriot Act, Homeland
Security Act, and Cybersecurity Information Sharing Act (CISA) have expanded
government surveillance capabilities, enhanced cybersecurity, and encouraged private
sector cooperation.
 Private and Private-Public Cooperation
Efforts in E-commerce Security
US-CERT's Role: The United States Computer Emergency Readiness Team (US-CERT), under
the Department of Homeland Security, coordinates cyber incident warnings and responses across
both government and private sectors, strengthening e-commerce security.

Federal Cybersecurity Oversight: The Office of Cybersecurity and Communications (CS&C)

oversees the resilience and security of the U.S.'s cyber infrastructure, while the National
Cybersecurity and Communications Integration Center (NCCIC) monitors cyber incidents 24/7.

CERT Coordination Center at Carnegie Mellon: The CERT Coordination Center, a private
organization, tracks criminal online activities and assists private corporations and government
agencies in identifying, tracing, and mitigating cyberattacks.

Expert Assistance and Public Communication: CERT comprises computer experts who help
organizations trace the origins of cyberattacks, identify security issues, and develop solutions,
while also communicating with the public about hacker threats.

Public Training and Knowledge Enhancement: CERT offers product assessments, reports, and
training to increase public awareness of cybersecurity threats and improve understanding of
effective security measures and solutions.
 E-Commerce Payment Systems
Adaptation of Traditional Payment Methods: Traditional payment mechanisms,
including cash, credit cards, debit cards, and stored value accounts, have been adapted
to online use but face limitations, prompting the need for alternative payment solutions.

Emergence of New Payment Systems: The rise of mobile platforms and new
purchasing relationships among individuals has driven the development of new e-
commerce payment systems, meeting emerging consumer needs.

Market Growth and Competition: The U.S. online payment market exceeded $1
trillion in 2022, with increased demand driven by the pandemic. Payment processors,
such as banking and credit card firms, earn significant revenues through transaction
fees, fueling competition.
Credit and Debit Cards Remain Dominant: Credit and debit cards are still the
primary payment methods for online transactions in the U.S., despite the availability of
alternative systems, which rely on traditional banking institutions for managing funds
and providing credit.
Rise of Mobile Wallet Apps: Mobile wallet apps, such as PayPal, have become the
fastest-growing form of alternative payment systems, with around 41% of U.S.
smartphone users utilizing these apps for payments in 2022, reflecting a significant
trend towards mobile-based transactions.
 MAJOR TRENDS IN E-COMMERCE
PAYMENTS 2022–2023

Dominance of Credit and Debit Cards: Credit and debit cards continue to
be the leading forms of payment for online transactions.

Pandemic-Driven Growth: The Covid-19 pandemic significantly increased

the volume of online payments, accelerating the adoption of digital payment
methods.

Rise of Mobile Payments and Apps: Mobile retail payments have surged,
with major tech companies like Apple, Google, expanding their mobile
payment app offerings, and services like PayPal maintaining popularity.

Emergence of BNPL and P2P Systems: Buy Now Pay Later (BNPL)
services are growing in popularity, while peer-to-peer (P2P) systems such as
Venmo, Zelle, and Square Cash are becoming mainstream.

Cryptocurrency Interest: Despite price volatility and security concerns,

interest in cryptocurrencies like Bitcoin has increased, highlighting its
potential role in future payment ecosystems.
 Online Credit Card Transactions

Dominant Payment Method: Credit and debit cards are the primary forms
of online payment, and online transactions work similarly to in-store
transactions but without physical card presence or signature.
Cardholder Not Present (CNP) Transactions: Online transactions are
considered CNP, making them more prone to disputes since merchants do
not see the card or obtain a signed payment agreement.
Parties Involved in Transactions: Five parties are involved in online
credit card purchases—consumer, merchant, clearinghouse, merchant
bank, and card-issuing bank.
Merchant Account Requirement: Online merchants need a merchant
account to process credit card payments and receive funds from
transactions.
Transaction Process: A secure TLS tunnel is used to transmit credit card
information, which is authenticated by a clearinghouse and verified by the
issuing bank, ultimately crediting the merchant’s account.
HOW AN ONLINE CREDIT CARD
TRANSACTION WORKS
How Credit Card Processing Works -
Transaction Cycle & 2 Pricing Models

https://www.youtube.com/watch?v=avRkRuQsZ6M
 Credit Card E-commerce Enablers
Two-Step Process: Securing a merchant account is just the first
step; merchants also need software to handle online transactions,
often provided by payment gateways.
Payment Service Providers: Providers like Authorize.net,
Cybersource, Stripe, and Square help merchants secure accounts
and process transactions through a "payment gateway."
Transaction Routing: Payment gateways collect transaction
information from merchants and route it to the appropriate bank to
ensure customer authorization.
PCI-DSS Compliance: The Payment Card Industry-Data Security
Standard (PCI-DSS) is a mandated industry standard, not a law,
required for merchants to accept credit card payments securely.
Compliance Levels: PCI-DSS has various levels, related to the
number of card transactions processed annually, and non-
compliance can result in fines and expenses for breached merchants.
 Limitations of Online Credit Card Payment Systems

Security Concerns: Poor security for both merchants and consumers;

potential fraud from criminal organizations and stolen cards.

Merchant Risk: High risk for merchants as consumers can repudiate

charges even after receiving goods or downloading digital products.

High Administrative Costs: Merchants face significant administrative and

transaction costs to set up and maintain credit card payment systems.

Card-Not-Present (CNP) Fraud: EMV cards have reduced in-store fraud,

but CNP fraud remains a growing issue in online transactions.

Limited Access: Credit cards are not accessible to everyone; millions of

young adults and low-income individuals lack access to credit cards.
 Alternative Online Payment Systems

PayPal: A leading online stored value payment system available in over 200
countries. Users can make payments using linked bank accounts or credit/debit
cards without sharing personal credit information. It remains dominant with 425
million active consumer users but has relatively high fees (1.9% to 3.49% plus a
fixed fee).
Amazon Pay: Enables consumers to make purchases on non-Amazon websites
using payment methods stored in their Amazon accounts, aimed at those wary of
sharing credit card information with unfamiliar retailers.

Meta Pay (formerly Facebook Pay): Allows users to transfer money directly from
banks and credit cards for purchases or peer-to-peer transactions, saving payment
information for future use.

Visa Checkout & Mastercard MasterPass: Substitute a user’s name and password
for actual payment card numbers during checkout but have not reached PayPal’s
usage level.

Buy Now Pay Later (BNPL): Allows purchases in installments, with payment
volume rising from $6.5 billion in 2019 to over $75 billion in 2022. Klarna and
Afterpay are popular providers, serving millions of users in the U.S.
 Mobile Payment Systems
Definition: Mobile payments involve using a mobile device for
payments, including online, in-store, and peer-to-peer (P2P) transactions.
Mobile wallets are smartphone apps storing debit cards, coupons, and
other payment means.

Types of Mobile Wallets:

1. Universal Proximity Wallets: Apps like Apple Pay, Google Pay, and
Samsung Pay that work across various merchants, supporting NFC
technology.
2. Branded Store Proximity Wallets: Apps like Walmart Pay, Target
Pay, and Starbucks Pay, which work only at specific merchants. These
apps use QR code technology for payments.
3. P2P Apps: Apps such as Venmo, Zelle, and Square Cash, used for
direct payments between individuals with the same app. These are
popular, with around 150 million users in the U.S. in 2022.
 Mobile Payment Systems
Usage Trends: Mobile proximity apps processed $415 billion in the U.S.
in 2022, with P2P mobile payment transaction value reaching almost $1.1
trillion. While mobile payments are the fastest-growing payment form,
they still represent a small portion of the overall U.S. payment market.

NFC and QR Technologies:

NFC (Near Field Communication): Used for universal wallets like
Apple Pay and Google Pay; requires close proximity for data exchange.
QR Codes: Used by branded wallets like Walmart Pay and Starbucks
Pay; involve scanning a generated QR code to complete payments.

Payment Market Insights: Despite the growth in mobile payments,

credit and debit cards remain dominant in the U.S. market. Branded store
payment apps are seeing faster growth in adoption compared to universal
wallets like Apple Pay.
MOBILE WALLET APP ADOPTION
 Blockchain and Cryptocurrencies
Definition: Blockchain is a technology that allows organizations
to create and verify transactions almost instantly on a distributed
network without needing a central authority.

Traditional vs. Blockchain:

Traditional Transaction Processing: Organizations maintain
their own databases to record and track transactions like orders,
payments, and shipping. This creates a linear record of
information for each order.
Blockchain System: Instead of using a central database,
blockchain is distributed and operates on a peer-to-peer (P2P)
computer network. It maintains a shared, continuously growing
list of records called blocks.
Structure and Process:
-Blocks: Each block contains data, a timestamp, and a link to the previous
block. Blocks are added to create a chain that tracks the entire transaction
process.
-Distributed Ledger: Blockchain uses a distributed ledger that is
decentralized, with no centralized database. This ensures that every
participant has a copy of the current chain.
-Immutability: Once recorded, blocks cannot be altered retroactively. Any
legitimate changes must be verified by participants in the network using
algorithms.
Verification and Security: Participants in the network run algorithms to
evaluate and verify transactions. Cryptographic methods secure records,
and changes are recorded across the blockchain within seconds or minutes.
Benefits: Blockchain eliminates the need for central authorities, provides
transparency, and enhances data security through cryptographic protection
and decentralization.
HOW BLOCKCHAIN WORKS
HOW BLOCKCHAIN WORKS
https://www.youtube.com/watch?v=yubzJw0uiE4