Haris and Todaro

8/20/2019 Haris and Todaro

1/65

Copyright © 2009 PearsonCopyright © 2009 Pearson Education, Inc. Slide 5-1

E-commerce

Kenneth C. Laudon

Carol Guercio Traver

business. technology. society.

Fifth Edition


2/65

Copyright © 2009 PearsonCopyright © 2009 Pearson Education, Inc. Slide 5-2

Chapter 5

Online Security and Payment

Systems


3/65

Copyright © 2009 Pearson

Cyberwar Becomes a Reality

Class Discussion What is a DDoS attack? Why did it prove to be

so effective against Estonia?

What are botnets? Why are they used in DDoSattacks?

What percentage of computers belong tobotnets? What percentage of spam is sent by

botnets?

Can anything be done to stop DDoS attacks?

Slide 5-3


4/65


The E-commerce Security Environment

The Sco!e o" the #roblem Overall size of cybercrime unclear; amount of

losses significant but stable; individuals facene risks of fraud that may involve substantial

uninsured losses Symantec! Cybercrime on the rise from "##$

%C&! 'rocessed "##(###) %nternet crime complaints

"##$ CS% survey! *+, respondent firms detectedsecurity breach in last year

-nderground economy marketplace that offers salesof stolen information groing

Slide 5-$


5/65


Cate%ories o" &nternet Crime Com!laintsRe!orted to &C3

Slide 5-5

Figure 5.1, Page !


6/65


Ty!es o"

'ttac(s '%ainstCom!uter

Systems

Slide 5-)

Figure 5.", Page !#


7/65 Copyright © 2009 Pearson

*hat &s +ood E-commerce Security,

.o achieve highest degree of security /e technologies

Organizational policies and procedures

%ndustry standards and government las Other factors

.ime value of money

Cost of security vs0 potential loss

Security often breaks at eakest link

Slide 5-



The E-commerce Security EnvironmentFigure 5.#, Page !$

Slide 5-.



Customer and /erchant #ers!ectives on theDi""erent Dimensions o" E-commerce Security

Ta%le 5., Page !&

Slide 5-0



The Tension Between Security and

ther alues Security vs0 ease of use!

.he more security measures added( the more

difficult a site is to use( and the sloer it becomes

Security vs0 desire of individuals to act

anonymously

-se of technology by criminals to plan crimes orthreaten nation1state

Slide 5-1



Security Threats in the E-commerce

Environment .hree key points of vulnerability!

Client

Server

Communications pipeline

Slide 5-11



' Ty!ical

E-commerceTransactionFigure 5.5, Page $'

Slide 5-12

SO()C*+ oncella, '''.



ulnerable #oints in an E-commerce

EnvironmentFigure 5.!, Page $1

Slide 5-13

SO()C*+ oncella, '''.



/ost Common Security Threats in

the E-commerce Environment 2alicious code 3viruses( orms( .ro4ans5

-nanted programs 3spyare( broser parasites5

'hishing6identity theft

7acking and cybervandalism

Credit card fraud6theft

Spoofing 3pharming56spam 34unk5 Web sites

DoS and DDoS attacks Sniffing

%nsider attacks

'oorly designed server and client softare

Slide 5-1$



/alicious Code

8iruses! 9eplicate and spread to other files; most deliver

:payload 3destructive or benign5 2acro viruses( file1infecting viruses( script viruses

Worms! Designed to spread from computer to computer

.ro4an horse! ots! Covertly installed on computer; respond to e=ternal

commands sent by attacker

Slide 5-15



4nwanted #ro%rams

%nstalled ithout users informed consent

>roser parasites

Can monitor and change settings of a users broser



#hishin% and &dentity The"t



ac(in% and Cybervandalism

7acker! %ndividual ho intends to gain unauthorized access to

computer systems

Cracker! 7acker ith criminal intent

Cybervandalism! %ntentionally disrupting( defacing( destroying Web site

.ypes of hackers White hats >lack hats Arey hats

Slide 5-1.


19/65


Credit Card 6raud

Bear of stolen credit card information detersonline purchases

7ackers target credit card files and other

customer information files on merchant servers;use stolen data to establish credit under false

identity

Online companies at higher risk than offline

%n development! /e identity verification

mechanisms

Slide 5-10


20/65


S!oo"in% 7#harmin%8 and S!am

79un(8 *eb Sites Spoofing 3'harming5

2isrepresenting oneself by using fake e1mail

addresses or masuerading as someone else .hreatens integrity of site; authenticity

Spam 3unk5 Web sites

-se domain names similar to legitimate one( redirecttraffic to spammer1redirection domains

Slide 5-2


21/65


DoS and DDoS 'ttac(s

Denial of service 3DoS5 attack

7ackers flood Web site ith useless traffic to

inundate and overhelm netork

Distributed denial of service 3DDoS5 attack

7ackers use multiple computers to attack target

netork from numerous launch points

Slide 5-21


22/65


ther Security Threats

Sniffing! Eavesdropping program that monitors information

traveling over a netork; enables hackers to steal

proprietary information from anyhere on a netork

%nsider 4obs

Single largest financial threat

'oorly designed server and client softare

%ncrease in comple=ity of softare programs has

contributed to increase in vulnerabilities that hackers

can e=ploit

Slide 5-22


23/65


Technolo%y Solutions

'rotecting %nternet communications3encryption5

Securing channels of communication 3SS(

S17..'( 8'/s5 'rotecting netorks 3firealls5

'rotecting servers and clients

Slide 5-23


24/65


Tools

'vailable to 'chieve SiteSecurity Figure 5.-, Page

Slide 5-2$


25/65


#rotectin% &nternet Communications

Encry!tion Encryption

.ransforming plain te=t( data into cipher te=t that cantbe read by anyone other than sender and receiver

Secures stored information and informationtransmission

'rovides!

2essage integrity/onrepudiation


26/65


Symmetric :ey Encry!tion

oth sender and receiver use same digital key

to encrypt and decrypt message

9euires different set of keys for eachtransaction


27/65


#ublic :ey Encry!tion

-ses to mathematically related digital keys 'ublic key 3idely disseminated5

'rivate key 3kept secret by oner5

>oth keys used to encrypt and decrypt message

Once key used to encrypt message( same keycannot be used to decrypt message

Sender uses recipients public key to encryptmessage; recipient uses his6her private key todecrypt it

Slide 5-2


28/65


#ublic :ey Cry!to%ra!hy ; ' Sim!le CaseFigure 5.1', Page &"

Slide 5-2.


29/65


#ublic :ey Encry!tion usin% Di%ital

Si%natures and ash Di%ests 7ash function!

2athematical algorithm that produces fi=ed1length

number called message or hash digest

7ash digest of message sent to recipient along

ith message to verify integrity

7ash digest and message encrypted ith

recipients public key Entire cipher te=t then encrypted ith recipients

private key @ creating digital signature @ for

authenticity( nonrepudiation

Slide 5-20


30/65


#ublic :ey Cry!to%ra!hy with Di%ital Si%naturesFigure 5.11, Page &&

Slide 5-3


31/65


Di%ital Envelo!es


32/65


#ublic :ey Cry!to%ra!hy Creatin% a Di%italEnvelo!e

Figure 5.1, Page -'

Slide 5-32


33/65


Di%ital Certi"icates and #ublic :ey

&n"rastructure 7#:&8 Digital certificate includes!

/ame of sub4ect6company Sub4ects public key

Digital certificate serial number E=piration date( issuance date Digital signature of certification authority 3trusted

third party institution5 that issues certificate

Other identifying information

'ublic Jey %nfrastructure 3'J%5! C


34/65


Di%ital Certi"icates and Certi"ication 'uthoritiesFigure 5.1", Page -1

Slide 5-3$


35/65



36/65


Insight on Society

&n #ursuit o" E-mail #rivacy Class Discussion

What are some of the current risks and problems

ith using e1mail?

What are some of the technology solutions that have

been developed?


37/65


Securin% Channels o" Communication

Secure Sockets ayer 3SS5! Establishes a secure( negotiated client1server

session in hich -9 of reuested document(along ith contents( is encrypted

S17..'! 'rovides a secure message1oriented

communications protocol designed for use incon4unction ith 7..'

8irtual 'rivate /etork 38'/5!


38/65


Secure =e%otiated Sessions 4sin% SS<Figure 5.1#, Page -5

Slide 5-3.


39/65


#rotectin% =etwor(s

Bireall 7ardare or softare that filters packets

'revents some packets from entering the netorkbased on security policy

.o main methods!

'acket filters


40/65


6irewalls and #ro>y ServersFigure 5.15, Page -&

Slide 5-$


41/65


#rotectin% Servers and Clients

Operating system controls!


42/65


/ana%ement #olicies? Business

#rocedures? and #ublic


43/65


' Security #lan /ana%ement #olicies

9isk assessment Security policy

%mplementation plan

Security organization


44/65


Develo!in% an E-commerce Security #lanFigure 5.1!, Page "''

Slide 5-$$


45/65


Insight on Technology

Securin% @our &n"ormationCleversa"e i!!ie Stora%e

Class Discussion

What is OCJSS? What are the advantagesand disadvantages to OCJSS?

7o is Cleversafes storage method

different? 7o does it ork?

Why is it accurate to say that Cleversafes

method is :green or :hippie storage?

Slide 5-$5


46/65


The Role o"


47/65


Ty!es o" #ayment Systems

Cash

Checking .ransfer

Credit Card

Stored 8alue

alance

Slide 5-$


48/65


Cash

egal tender 2ost common form of payment in terms of

number of transactions

%nstantly convertible into other forms of valueithout intermediation

'ortable( reuires no authentication

:Bree 3no transaction fee5( anonymous( lo

cognitive demands imitations! easily stolen( limited to smaller

transaction( does not provide any float

Slide 5-$.


49/65


Chec(in% Trans"er

Bunds transferred directly via signed draft6check from aconsumers checking account to merchant6 other

individual

2ost common form of payment in terms of amount spent

Can be used for small and large transactions

Some float

/ot anonymous( reuires third1party intervention 3banks5

%ntroduces security risks for merchants 3forgeries(stopped payments5( so authentication typically reuired

Slide 5-$0


50/65


Credit Card

9epresents account that e=tends credit toconsumers; allos consumers to makepayments to multiple vendors at one time

Credit card associations!

/onprofit associations 38isa( 2asterCard5 that setstandards for issuing banks

%ssuing banks!

%ssue cards and process transactions 'rocessing centers 3clearinghouses5!

7andle verification of accounts and balances

Slide 5-5


51/65


Stored alue


52/65


'ccumulatin% Balance


53/65


Dimensions o" #ayment Systems Ta%le 5.!, Page "'-

Slide 5-53


54/65


E-commerce #ayment Systems

Credit cards are dominant form of onlinepayment( accounting for around +#, of online

payments in "##G

Other e1commerce payment systems! Digital allets

Digital cash

Online stored value payment systems

Digital accumulating balance systems

Digital checking

Slide 5-5$


55/65


ow an nline Credit Transaction *or(sFigure 5.1&, Page "1

Slide 5-55


56/65



57/65


Di%ital *allets

Seeks to emulate the functionality oftraditional allet

2ost important functions!


58/65


Di%ital Cash

One of the first forms of alternative paymentsystems

/ot really :cash

Borm of value storage and value e=change usingtokens that has limited convertibility into other

forms of value( and reuires intermediaries to

convert

2ost early e=amples have disappeared;protocols and practices too comple=

Slide 5-5.


59/65


nline Stored alue Systems

'ermit consumers to make instant( onlinepayments to merchants and other individuals

>ased on value stored in a consumers bank(checking( or credit card account

'ay'al most successful system

Smart cards

Contact smart cards! 9euire physical reader

2onde=

Contactless smart cards! -se 9B%D

EK'ass

Octopus

Slide 5-50


60/65


Di%ital 'ccumulatin% Balance#ayment Systems


61/65


Di%ital Chec(in% #ayment Systems

E=tends functionality of e=isting checkingaccounts for use as online shopping payment

tool

E=ample! 'ay>yCheck

Slide 5-)1


62/65


*ireless #ayment Systems

-se of mobile handsets as payment devicesell1established in Europe( apan( South Jorea

apanese mobile payment systems

E1money 3stored value5 2obile debit cards

2obile credit cards

/ot as ell established yet in -0S( but ithgroth in Wi1Bi and &A cellular phone systems(

this is beginning to change

Slide 5-)2


63/65


Insight on Business

/obile #aymentAs 6uture

*ave!ayme? Te>t!ayme+rou! Discussion

What technologies make mobile payment more

feasible no than in the past? Describe some ne e=periments that are

helping to develop mobile payment systems0

7o has 'ay'al responded? Why havent mobile payment systems gron

faster? What factors ill spur their groth?

Slide 5-)3


64/65


Electronic Billin% #resentment and#ayment 7EB##8

Online payment systems for monthly bills

I#, of households in "##G used some E>'';e=pected to gro to $I, by "#F"

.o competing E>'' business models!

>iller1direct! Dominant model

Consolidator! .hird party aggregates consumers bills >oth models are supported by E>''

infrastructure providers

Slide 5-)$


65/65

Documents

Haris and Todaro