E-commerce Technologies

Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright 2009 Pearson Education, Inc.Slide 5-*E-commerce Kenneth C. LaudonCarol Guercio Traver

business. technology. society.Fifth Edition

Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall

Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallCyberwar Becomes a RealityClass DiscussionWhat is a DDoS attack? Why did it prove to be so effective against Estonia? What are botnets? Why are they used in DDoS attacks?What percentage of computers belong to botnets? What percentage of spam is sent by botnets?Can anything be done to stop DDoS attacks?Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallThe E-commerce Security Environment: The Scope of the ProblemOverall size of cybercrime unclear; amount of losses significant but stable; individuals face new risks of fraud that may involve substantial uninsured lossesSymantec: Cybercrime on the rise from 2007IC3: Processed 200,000+ Internet crime complaints2007 CSI survey: 46% respondent firms detected security breach in last yearUnderground economy marketplace that offers sales of stolen information growing

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallWhat Is Good E-commerce Security?To achieve highest degree of securityNew technologiesOrganizational policies and proceduresIndustry standards and government lawsOther factorsTime value of moneyCost of security vs. potential lossSecurity often breaks at weakest link

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallThe Tension Between Security and Other ValuesSecurity vs. ease of use:The more security measures added, the more difficult a site is to use, and the slower it becomesSecurity vs. desire of individuals to act anonymouslyUse of technology by criminals to plan crimes or threaten nation-stateSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallMost Common Security Threats in the E-commerce EnvironmentMalicious code (viruses, worms, Trojans)Unwanted programs (spyware, browser parasites)Phishing/identity theftHacking and cybervandalismCredit card fraud/theftSpoofing (pharming)/spam (junk) Web sitesDoS and DDoS attacksSniffingInsider attacksPoorly designed server and client software

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallMalicious CodeViruses: Replicate and spread to other files; most deliver payload (destructive or benign)Macro viruses, file-infecting viruses, script virusesWorms: Designed to spread from computer to computerTrojan horse: Appears benign, but does something other than expectedBots: Covertly installed on computer; respond to external commands sent by attackerSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallUnwanted ProgramsInstalled without users informed consentBrowser parasitesCan monitor and change settings of a users browserAdwareCalls for unwanted pop-up adsSpywareCan be used to obtain information, such as a users keystrokes, e-mail, IMs, etc.Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallPhishing and Identity TheftAny deceptive, online attempt by a third party to obtain confidential information for financial gain, e.g.E-mail scam letter most popular phishing attackSpoofing legitimate financial institutions Web siteUse information to commit fraudulent acts (access checking accounts), steal identityOne of fastest growing forms of e-commerce crimeSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallHacking and CybervandalismHacker: Individual who intends to gain unauthorized access to computer systemsCracker: Hacker with criminal intentCybervandalism: Intentionally disrupting, defacing, destroying Web siteTypes of hackersWhite hatsBlack hatsGrey hatsSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallCredit Card FraudFear of stolen credit card information deters online purchasesHackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identityOnline companies at higher risk than offlineIn development: New identity verification mechanismsSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallSpoofing (Pharming) and Spam (Junk) Web SitesSpoofing (Pharming)Misrepresenting oneself by using fake e-mail addresses or masquerading as someone elseThreatens integrity of site; authenticitySpam (Junk) Web sitesUse domain names similar to legitimate one, redirect traffic to spammer-redirection domainsSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDoS and DDoS AttacksDenial of service (DoS) attackHackers flood Web site with useless traffic to inundate and overwhelm networkDistributed denial of service (DDoS) attackHackers use multiple computers to attack target network from numerous launch points

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallOther Security ThreatsSniffing: Eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a networkInsider jobsSingle largest financial threatPoorly designed server and client softwareIncrease in complexity of software programs has contributed to increase in vulnerabilities that hackers can exploitSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallTechnology SolutionsProtecting Internet communications (encryption)Securing channels of communication (SSL, S-HTTP, VPNs)Protecting networks (firewalls)Protecting servers and clients

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallProtecting Internet Communications: EncryptionEncryptionTransforming plain text, data into cipher text that cant be read by anyone other than sender and receiverSecures stored information and information transmissionProvides: Message integrityNonrepudiationAuthenticationConfidentialitySlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallSymmetric Key EncryptionAlso known as secret key encryptionBoth sender and receiver use same digital key to encrypt and decrypt messageRequires different set of keys for each transactionAdvanced Encryption Standard (AES)Most widely used symmetric key encryptionUses 128-, 192-, and 256-bit encryption keysOther standards use keys with up to 2,048 bitsSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallPublic Key EncryptionUses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)Both keys used to encrypt and decrypt messageOnce key used to encrypt message, same key cannot be used to decrypt messageSender uses recipients public key to encrypt message; recipient uses his/her private key to decrypt it

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallPublic Key Encryption using Digital Signatures and Hash DigestsHash function:Mathematical algorithm that produces fixed-length number called message or hash digestHash digest of message sent to recipient along with message to verify integrityHash digest and message encrypted with recipients public keyEntire cipher text then encrypted with recipients private key creating digital signature for authenticity, nonrepudiation

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital EnvelopesAddresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but less secure)Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital Certificates and Public Key Infrastructure (PKI)Digital certificate includes:Name of subject/companySubjects public keyDigital certificate serial numberExpiration date, issuance dateDigital signature of certification authority (trusted third party institution) that issues certificateOther identifying informationPublic Key Infrastructure (PKI): CAs and digital certificate procedures that are accepted by all partiesSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallLimits to Encryption SolutionsPKI applies mainly to protecting messages in transitPKI is not effective against insidersProtection of private keys by individuals may be haphazardNo guarantee that verifying computer of merchant is secureCAs are unregulated, self-selecting organizations

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallInsight on SocietyIn Pursuit of E-mail PrivacyClass DiscussionWhat are some of the current risks and problems with using e-mail?What are some of the technology solutions that have been developed?Are these solutions compatible with modern law?Consider the benefits of a thorough business record retention policy. Do you agree that these benefits are worth giving up some control of your e-mail?

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallSecuring Channels of CommunicationSecure Sockets Layer (SSL): Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, is encryptedS-HTTP: Provides a secure message-oriented communications protocol designed for use in conjunction with HTTPVirtual Private Network (VPN): Allows remote users to securely access internal network via the Internet, using Point-to-Point Tunneling Protocol (PPTP)Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallProtecting NetworksFirewallHardware or software that filters packetsPrevents some packets from entering the network based on security policyTwo main methods:Packet filtersApplication gatewaysProxy servers (proxies)Software servers that handle all communications originating from or being sent to the InternetSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallProtecting Servers and ClientsOperating system controls: Authentication and access control mechanismsAnti-virus software: Easiest and least expensive way to prevent threats to system integrityRequires daily updatesSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallManagement Policies, Business Procedures, and Public LawsU.S. firms and organizations spend 10% of IT budget on security hardware, software, servicesAttacks against organizational computers downAttacks against Web sites, individual records upTechnology a foundation of securityEffective management policies also requiredSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallA Security Plan: Management PoliciesRisk assessmentSecurity policyImplementation planSecurity organizationAccess controlsAuthentication proceduresBiometricsAuthorization policiesAuthorization management systemsSecurity audit

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallInsight on TechnologySecuring Your Information: Cleversafe Hippie StorageClass DiscussionWhat is LOCKSS? What are the advantages and disadvantages to LOCKSS?How is Cleversafes storage method different? How does it work?Why is it accurate to say that Cleversafes method is green or hippie storage?Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallThe Role of Laws and Public PolicyNew laws have given authorities tools and mechanisms for identifying, tracing, prosecuting cybercriminalsNational Information Infrastructure Protection Act of 1996: created National Infrastructure Protection CenterUSA Patriot ActHomeland Security ActCERT Coordination Center private groupGovernment policies and controls on encryption softwareOECD guidelinesSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallCashLegal tenderMost common form of payment in terms of number of transactionsInstantly convertible into other forms of value without intermediationPortable, requires no authenticationFree (no transaction fee), anonymous, low cognitive demandsLimitations: easily stolen, limited to smaller transaction, does not provide any floatSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallChecking TransferFunds transferred directly via signed draft/check from a consumers checking account to merchant/ other individualMost common form of payment in terms of amount spentCan be used for small and large transactionsSome floatNot anonymous, requires third-party intervention (banks)Introduces security risks for merchants (forgeries, stopped payments), so authentication typically requiredSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallCredit CardRepresents account that extends credit to consumers; allows consumers to make payments to multiple vendors at one timeCredit card associations: Nonprofit associations (Visa, MasterCard) that set standards for issuing banks Issuing banks: Issue cards and process transactionsProcessing centers (clearinghouses): Handle verification of accounts and balances

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallStored ValueAccounts created by depositing funds into an account and from which funds are paid out or withdrawn as neededExamples: Debit cards, gift certificates, prepaid cards, smart cardsPeer-to-peer payment systemsVariation on stored value systemse.g. PayPalSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallAccumulating BalanceAccounts that accumulate expenditures and to which consumers make period paymentsExamples: Utility, phone, American Express accountsEvaluating payment systems:Different stakeholders (consumers, merchants, financial intermediaries, government regulators) have different priorities in payment system dimensions (refutability, risk, anonymity, etc.)Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallE-commerce Payment SystemsCredit cards are dominant form of online payment, accounting for around 60% of online payments in 2008 Other e-commerce payment systems:Digital walletsDigital cashOnline stored value payment systemsDigital accumulating balance systemsDigital checkingSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallLimitations of Online Credit Card Payment SystemsSecurity: Neither merchant nor consumer can be fully authenticatedCost: For merchants, around 3.5% of purchase price plus transaction fee of 20 30 cents per transactionSocial equity: Many people do not have access to credit cards Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital WalletsSeeks to emulate the functionality of traditional walletMost important functions:Authenticate consumer through use of digital certificates or other encryption methodsStore and transfer valueSecure payment process from consumer to merchantEarly efforts to popularize have failedNewest effort: Google Checkout

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital CashOne of the first forms of alternative payment systemsNot really cashForm of value storage and value exchange using tokens that has limited convertibility into other forms of value, and requires intermediaries to convertMost early examples have disappeared; protocols and practices too complexSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallOnline Stored Value SystemsPermit consumers to make instant, online payments to merchants and other individualsBased on value stored in a consumers bank, checking, or credit card accountPayPal most successful systemSmart cardsContact smart cards: Require physical readerMondexContactless smart cards: Use RFIDEZPassOctopus Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital Accumulating Balance Payment SystemsAllows users to make micropayments and purchases on the WebUsers accumulate a debit balance for which they are billed at the end of the monthValistas PaymentsPlusClickshareSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallDigital Checking Payment SystemsExtends functionality of existing checking accounts for use as online shopping payment toolExample: PayByCheck Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallWireless Payment Systems

Use of mobile handsets as payment devices well-established in Europe, Japan, South KoreaJapanese mobile payment systemsE-money (stored value)Mobile debit cardsMobile credit cardsNot as well established yet in U.S, but with growth in Wi-Fi and 3G cellular phone systems, this is beginning to change

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallInsight on BusinessMobile Payments Future: Wavepayme, TextpaymeGroup DiscussionWhat technologies make mobile payment more feasible now than in the past?Describe some new experiments that are helping to develop mobile payment systems.How has PayPal responded?Why havent mobile payment systems grown faster? What factors will spur their growth?

Slide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallElectronic Billing Presentment and Payment (EBPP)Online payment systems for monthly bills50% of households in 2008 used some EBPP; expected to grow to 75% by 2012Two competing EBPP business models:Biller-direct: Dominant modelConsolidator: Third party aggregates consumers billsBoth models are supported by EBPP infrastructure providersSlide 5-*


Copyright 2009 Pearson Education, Inc. Publishing as Prentice HallSlide 5-*All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.Copyright 2009 Pearson Education, Inc. Publishing as Prentice Hall


***************

Documents

E-commerce Technologies