E-commerce Security and Payment Systems

7/23/2019 E-commerce Security and Payment Systems

1/41

E-COMMERCE SECURITPAYMENT SYSTEMS

E-COMMERCE SECURITPAYMENT SYSTEMS

Y PUTERI SYAHEERA INTI JAAFAR

ATIQAH AQILAH INTI AHMAD MUFIT

NURUL AMIERA SYUHADA INTI

RAZALI


2/41

E-COMMERCE SECURITY AND PAYMENT SYST


3/41

4.3 : TECHNOLOGY SOLUTIO


4/41

Protecting Internet Communicat

ENCRYPTIONThe process of transforming plain text or data into cipher text that canno

anyone other than the sender and the receiver


5/41

Purpose:-

* To secure store !"#or$%t!o"

* To secure !"#or$%t!o"

tr%"s$!ss!o"

In a substitution cipher, eer! occurgien#etter is re$#ace% s!stematica##! &

In a transposition cipher,t'e or%erin

in eac' (or% is c'ange% in some s!ste


6/41


7/41


8/41

a) Symmetric Key Encryption

T'e sen%er an% receier use t'e same )e! to encr!$t an% %t'e message

T'e $ossi&i#ities "or sim$#e su&stituion * trans$osition c'i$'are en%#ess :+

In digital age,com$uters are so$o(er"u# an% "ast

t'at t'eseancient means o"encr!$tion can

&e &ro)en uic)#!

S!mmetric )e!encr!$tion

reuires t'at&ot' $arties

s'are t'e same)e!

In commeuse, ('er

are not a## $t'e sam

team,!ou (nees a secr

"or eac' o$arties (('om !transact


9/41

The Data Encryption Standard (DES)

-ee#o$es &! t'e Nationa# Securit!genc!/NS0 an% I12

Use a +&itencr!$tion )e!

Advanced Encryption Standard (AES)

2ost (i%e#! use% s!mmetric )e!encr!$tion a#gorit'm

O5ering 678+,697+ an% 7+&it)e!s


10/41

b) Public Key Encryption / Public Key Cryptography


11/41

Public Key Encryption Using Digital Signatures anHash Digest

Hash unction Digital Signature

signed cipher text that

can be sent over the

Internet

A close parallel to

handwritten signature

Even more unique than

a handwritten signature

Unique to the document

and changes for every

document

An algorithm that produces a

fixed-length number called a

hash or message digest

unction can be simple

!ount the number of

digital "s in a message#it

can be more complex

$roduce a "%&-bit number

that reflects the number of

's and "s


12/41

d) Digital EnvelopesA technique that uses symmetric encryption for large documents#but public (ey

encrypt and send the symmetric (ey

d) Digital EnvelopesA technique that uses symmetric encryption for large documents#but public (ey

encrypt and send the symmetric (ey

e) Digital Certificates and Public Key Infrastructure (PKI)e) Digital Certificates and Public Key Infrastructure (PKI)


13/41

-igita# Certicate P;I P

!imitations to Encryption Solutions

T'ere is no guarantee t'e eri"!ingcom$uter o"

t'e merc'ant is secure

Cs are se#"+se#ecte% organi


14/41

PUBLIC AND PRIVATE KEY IN ENCRYPTION


15/41

SECU=ING CHNNELS O> CO22UNICTION

1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Secure negotiated session

A client"server session in #hich thU$! o% the re&uested document'a#ith the contents'contents o% %ormand the cooies echanged areencrypted*

Session Key

A uni&ue symmetric encryption eychosen +ust %or this single securesession


16/41

SS!,T!Sprovides data encryption'serverauthentication' optional client authentication anmessage integrity %or T-P,.P connections

Protects the integrity o% the messagesechanged

-annot provide irre%utability


17/41

/irtual Private0et#ors (/P0s)

? ##o(s remote users to secure#!access a cor$oration@s #oca# areanet(or) ia t'e Internet,using aariet! o" APN $rotoco#s

? Use aut'entication an% encr!$tionto secure in"ormation "romunaut'ori


18/41

P=OTECTING NETBO=;S

1. Firea!!s

Re"er to eit#er #ardare or so"taco$$unication packets and pre%e

packets "ro$ enterin& t#e netork

security po!icy

Contro!s tra""ic to and "ro$ ser%er

For'iddin& co$$unication "ro$ u

sources

!!oin& ot#er co$$unications "r

sources to proceed

Can "i!ter tra""ic 'ased on packet a


19/41

Pac)et #ters$$#icatiogate(a!s

2 3a+or method 4re#alls


20/41

2* Proy Servers

So"t(are serer t'at 'an%#es a## communications origin"rom or &eing sent to t'e Internet

Ca##e% dual"home systems &ecause t'e! 'ae t(o neinter"aces

To internal computers)no(n as t'e gate(a!

To eternal computers )no(n as a mai# serer or numa%%ress


21/41

.nstrusin Detection and Preventation S

Instrusion %etection s!stem/I-S0

EDamines net(or)trac,(atc'ing to see i" it

matc'es certain $atterns or$recongure% ru#es in%icatie o"

an attac)

Instrusion $ree

s!stem /IPSHas a## t'e "unctiona

I-S,(it' t'e a%%itionata)e ste$s to $reent

sus$icious acti


22/41

P=OTECTING SE=AE=S N- CLIENTS

5* 6perating System SecurityEnhancements

To ta)e a%antage o" automatic com$usecurit!

u$gra%es

Users can easi#! %o(n#oa% t'ese secur"or "ree

Preent &! sim$#! )ee$ing serer an% c

o$eratings!stems an% a$$#ications u$ to %ate

2* Anti"/irus So%t#are

Easiest an% #east+eD$ensie (a! to $reentt'reats to

s!stem integrit! is to insta## anti+irusso"t(are

nti+irus $rograms can &e set u$ so t'at e+mai#

attac'ments are ins$ecte% &e"ore c#ic) on


23/41

4.4+ 2NGE2ENT POLICIES, 1USINP=OCE-U=ES, N- PU1LIC LB


24/41

1orld#ide' in 2758' companies areepected to spend over 9:; billion onsecurity hard#are' so%t#are andservices (


25/41

securit! $#an: 2anagemenPo#icies

To minimi


26/41

igure =*52 DE/E!6P.0< A0 E-633E$SE-U$.T> P!A0

it ! ' i it#


27/41

security p!an 'e&ins it#

1. Risk assess$ent* an assess$ent o" t#e risk and points

%u!nera'i!ity

First step+ to in%entory t#e in"or$ation and kno!ed&e assets

o" t#e e,co$$erce site and co$pany.

E-a$p!e o" in"or$ation risk+ Custo$er in"or$ation proprieta

desi&ns 'usiness acti%ities secret process and ot#er interna

in"or$ation.


28/41

Security po!icy* a set state$ents prioriti/in& t#e inrisks identi"yin& accepta'!e risk tar&ets and id

t#e $ec#anis$ "or ac#ie%in& t#ese tar&ets.

Second step+ 0eter$ined to 'e t#e #iest prio

assess$ent.

E-a$p!e risk assess$ent + #o &enerates and

in"or$ation in t#is "ir$ 2#at e-istin& security

and etc


29/41

. I$p!e$entation p!an The steps will take a achieve the

security plan goals

T#ird step: Determine the levels of acceptable risk

into a set of tools, technologies, policies, andprocedures.

eed an organi!ational unit in charge of security and a

security officer


30/41

The security organi?ation e%ucates an% trains users,)ee$ management a(are o" securit! t'reats an%&rea)%o(ns an% maintain too#s c'osen to im$#ementsecurit!.

Access control %etermine ('ic' outsi%er an% insi%ercan gain

#egitimate access to net(or)s.

6utsider : ccess contro#s re(a##s an% $roD! ser .nsider: Login $roce%ures /username, $ass(or%s, aaccess co%es0


31/41

Authentication procedures use o" %igita#signatures, certicates o" aut'orit!.

@iometric devices its eri"! $'!sica# attri&utesassociates (it' an in%ii%ua# suc' as nger$rint orretina /e!e0 scan or s$eec' recognition s!stem.


32/41

Security toens are $'!sica# %eices orso"t(are t'at generate an i%entier t'at canuse in a%%ition or $#ace $ass(or%

Authori?ation policies %i5ering #ee#s o"access to in"ormation assets

Authori?ation management systems:('en user is$ermitte% to access certain $arts o"

(e&site

;* Security Audit" t'e routine reie( t'#ogs /i%enti"!ing 'o( outsi%er using site a

2ont'#! re$ort s'ou#% &e $ro%uce t'e $atterns.

2an! sma## rms 'ae s$rung u$ in t'e!ears to $roi%e t'ese serice to #arge cosites.


33/41

THE $6!E 6 !A1S A0D PU@!.-P6!.-.ES

Ao#untar! an% $riate e5orts 'ae $#a!e% a er!#arge ro#e in i%enti"!ing crimina# 'ac)ers an% assisting

#a( en"orcement.

2aorit! o" states no( reuire com$anies maintain$ersona# %ata on t'eir resi%ents

1! increasing t'e $unis'ment o" c!&ercrimes F + U.S goernment create a %eterrent to "urt'er'ac)er action

1! ma)ing suc' actions "e%era# crimes F + Goernment is ae eDtra%ite internationa#'ac)ers an%

$rosecute t'em (it'in t'e U.S

Table =*; U*S E"-633E$-E SE-U$.T> !E


34/41

Table =*; U*S E -633E$-E SE-U$.T> !E


35/41

E6$TS

Several organi?ation some private andsome public are devoted to tracing do#ncriminal organi?ations and individual attacagainst internet

Private organi?ation -E$T -oordination-enter at -arnegie 3ellon UniversityB

" -E$Tmonitors and trac online criminalactivity " Assist organi?ation in identi%yingB

GOAE=N2ENT POLICIES N- CONT=OLS ON ENC=YPTION SO


36/41

United States' both -ongress and the eecutive branchhave sought to regulate the uses o% encryption and torestrict availability and eport o% encryption systemBmeans to preventing crime and terrorism

our organi?ation have inCuenced the internationaltrac in encryption so%t#are


37/41

1Y PUTE=I, 2IE=, TIH

E-COMMERCE SECURITY AND PAYMENT SYST


38/41

E COMMERCE SECURITY AND PAYMENT SYST

4.3 +TECHNOLOGY SOLUTIONS

4.4+ 2NGE2ENT POLICIES,1USINESS

P=OCE-U=ES, N- PU1LIC LBS

UESTIONS


39/41

UESTIONS

1. ist ! "ey di#ension of e$co##erce security

%. E&plain 'hat is fire'all in protecting net'or"

. ist out the steps of developing an eco##erce

security plan.

NSBE=S


40/41

NSBE=S1. ! "ey of di#ension of e$co##erce security *

. +essage intergrity. ,onrepudiation. -uthentication. Confidential

%. ire'all in protecting net'or" *

. Controls traffic to and fro# servers and clients orbidding co##unication fro# untrust'orthy

sources

. teps of developing an eco##erce security plan.. Perfor# a ris" assess#ent. Develop a security policy. Develop a i#ple#entation plan. Create a security organi0ation. Perfor# a security audit


41/41

1Y PUTE=I, TIH, 2IE=

Documents

E-commerce Security and Payment Systems