The E-Co mmerce Security Environment worldwide in 2016. From products and services, to cash, to information, it's all there for the taking on the Internet. It's also less risky to steal online. Rather than rob a bank in person, the Internet makes it possible to rob people remotely and almost anonymously. Rather than steal a CD at a local record store, you can download the same music for free and almost without risk from the Internet. The potential for anonymity on the Internet cloaks many criminals in legitimate-looking identities, allowing them to place fraudulent orders with online merchants, steal information by intercepting e-mail, or simply shut down e-commerce sites by using software viruses and swarm attacks. The Internet was never designed to be a global marketplace with billions of users and lacks many basic security features found in older networks such as the telephone system or broad cast television networks. By comparison,the Internet is an open, vulnerable-design network. The actions of cybercriminals are costly for both businesses and consumers, who are then subjected to higher prices and additional security measures. The costs of malicious cyberactivity include not just the cost of the actual crime, but also the additional costs that are required to secure networks and recover from cyberattacks, the potential reputational damage to the affected company, as well as reduced trust in online activities, the loss of potentially sensitive business information, including intel lectual property and confidential business information, and the cost of opportunities lost due to service disruptions. Ponemon Institute estimates that the average total cost of a data breach to U.S. corporations in 2016 was $4 million (Ponemon Institute, 2016). THE SCOPE OF THE PROBLEM Cybercrime is becoming a more significant problem for both organizations and con súmers. Bot networks, DDoS attacks, Trojans, phishing, ransomware, data theft, iden tity fraud,credit card fraud, and spyware are just some of the threats that are making daily headlines. Social networks also have had security breaches. But despite the increasing attention being paid to cybercrime, it is difficult to accurately estimate the actual amount of such crime, in part because many companies are hesitant to report it due to the fear of losing the trust of their customers, and because even if.crime is reported, it may be difficult to quantify the actual dollar amount of the loss. JA 2014 study by the Center for Strategic and International Studies examined the tffículties in accuratelyestimating the economic impact of cybercrime and cyberespionage, with its research indicating a range of $375 billion to $575 billion worldwide. Further research is planned to try to help determine an even more accurate estimate (Center for Strategic and International Studies, 2014). One source of information is a survey conducted by Ponemon Institute of 58 repre sentative U.S.companies in various industries. The 2015 survey found that the average annualized cost of cyberorimefor the organizations in the study was $15 million, rep resenting a 20% increase from the previous year, and an 82% increase since the first survey in 2009. The average cost per attack was more than $1.9 million, a 22% increase from the previous year. The number of successful cyberattacks also increased, by over 15%. The most costly cybercrimes were those caused by denial of service, malicious insiders, and malicious code. The most prevalent types of attacks were viruses, worms, and Trojans, experienced by 100% of the companies surveyed, followed by malware |255 256 CHAPTER 5 E -COm merCe Securlty and Payment Syste ms (97%), web-based attacks (76%), botncts (66%), phishing and social engineering attacks (59%), and malicious code (52%) (Ponemon Institute, 2015a). Reports issued by security product providers, such as Symantec, are another source of data. Symantec issucs a semi-annual Internet Security Threat Report, based on 57.6 million sensors monitoring Internet activity in more than 157 countries. Advances in technology have greatly reduced the entry costs and skills required to enter the cybercrime business, Low-cost and readily available web attack kits enable hackers to create malware without having to write software from scratch. In addition, there has been a surge in polymorphic malware, which enables attackers to gener ate a unique version of the malware for each victim, making it much more difficult for pattern-matching software used by security firms to detect. According to Syman tec, the number of data breaches increased 23% in 2015, over half a billion personal records were stolen, the number of spear-phishing attacks increased by 55%, malware increased by 36%, and ransomware attacks grew by 359% (Symantec, 2016). However, Symantec does not attempt to quantify actual crimes and/or losses related to these threats. Online credit card fraud is one of the most high-profile forms of e-commerce críme. Although the average amount of credit card fraud loss experienced by any one individual is typically relatively smal, the overall amount is substantial. The overall rate of online credit card fraud is estimated to be about 0.8% of all online card transac tions, including both mobile and web transactions (Cybersource, 2016). The nature of credit card fraud has changed greatly from the theft of a single credit card number and efforts to purchase goods at a few sites, to the simultaneous theft of millions of credit card numbers and their distributions to thousands of criminals operating as gangs of thieves. The emergence of identity fraud, descríbed in detail later in this chapter, as a major online/offline type of fraud may well increase markedly the incidence and amount of credit card fraud, because identity fraud often includes the use of stolen credit card information and the creation of phony credit card accounts. The Underground Economy Marketplace: The Value of Stolen Information Criminals who steal information on the Internet do not always use this informa tion themselves, but instead derive value by selling the information toothers on the so-called underground or shadow economy market. Data is currency to cybercrimi nals and has a "street value" that can be monetized. For example, in 2013, Vladislay Horohorin (alias "BadB") was sentenced to over 7 years in federal prison for using online criminal forums to sell stolen credit and debit card information (referred to as "dumps"). At the time of his arrest, Horohorin possessed over 2.5 million stolen credit and debit cardnumbers. There are several thousand known underground economy marketplaces around the world that sell stolen information, as well as malware, such as exploit kits, access to botnets, and more. Table 5.2 lists some recently observed prices for various types of stolen data, which typically vary depending on the quan tity being purchased, supply available, and "freshness." For example, when credit card information fromn the Target data breach first appeared on the market, individual card numbers went for up to $120 each. After a few weeks, however, the price dropped The E-COm merc e SeCurity Env ironment 259 tcaches that any sccurity The history of sccurity in commercial transactions Security is not absolute. system can be broken if enough resources are put against it. forever, especially in the infor In addition, perfect security of every item is not needed Sometimcs mation age. There is a time valuc to informationjust as thcrc is to moncy. Also, because security is it is sufficient to protect a message for a few hours or days. loss. Finally, we have potential the costly, we always have to weigh the cost against weakest link. Our most often at the also learned that security is a chain that breaks of the keys. management locks are often much stronger than our rcquires a set of laws, pro security We can concludc then that good c-commcrce cedures, policies, and technologies that, to the extent feasible, protect individuals and marketplace. organizations from unexpected behavior in the e-commerce DIMENSIONS OF E-COMMERCE SECURITY integrity There are six key dimensions to e-commerce security: integrity, nonrepudiation, the ability to ensure that Integrity refers to the ability to ensure that information being displayed on a information being displayed on a website or authenticity,confidentiality, privacy, and availability. website, or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. For example, if an unauthorized person intercepts and changes the contents of an online communication, such as by redirecting a bank wire transfer into a different account, the integrity of the message has been compromised because the communication no longer represents what the original sender intended. Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. For instance, the availability of free e-mail accounts with alias names makes easy for aperSon to post comments or send a message and perhaps later deny doing so. Even when a customer uses a real name and e-mail address, it is easy for that customer to order merchandise online transmitted or received Over the lInternet has not been altered in any way by an unauthorized party nonrepudiation the ability to ensure that e-commerce participants do not deny (.e., repudiate) their online actions and then later deny doing so. In most cases, because merchants typically do not obtain a physical copy of a signature, the credit card issuer will side with the customer because the merchant has no legally valid proof that the customer ordered the mer chandise. Authenticity refers to the ability to identify the identity of a person or entity the with whom you are dealing on the Internet. How does the customer know that that the assured website operator is who it claims to be? How can the merchant be customer is really who she says she is? Someone who claims to be someone he is not is "spoofing" or misrepresenting himself. Confidentiality refers to the ability to ensure that messages and data are avail able only to those who are authorized to view themn. Confidentiality is sometimes confused with privacy,which refers to the ability to control the use of information a customer provides about himself or herself toan e-commerce merchant. E-commerce merchants have two concerns related to privacy. They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use. Por example, if hackers break into an e-commerce site and gain access to credit card or other information, this violates not only the confidentiality of the data, but also the privacy of the individuals who supplied the information. authenticity the ability to identify the identity ofa person or entity with whom you are dealing on the Internet confidentiality the ability to ensure that messages and data are available only to those who are authorized to view them privacy the ability to control the Use of information about oneself 258 CHAPTER 5 ECOm merCe Security and Pay ment Syste ms WHAT IS GOOD E-COMMERCE SECURITY? What is a securc commercial transaction? Anytime you go into a marketplace you take risks, including the loss of privacy (information about what you purchased). Your prime risk as a consumer is that you do not get what you paid for. As a in the market, your risk is that you don't get paid for what you sell. Thievesmerchant take merchan dise and then either walk off without paying anything, or pay you with a fraudulent instrument, stolen credit card, or forged currency. E-commerce merchants and consumers face many of the same risks as participants in traditional commerce, albeit in anew digital environment. Theft is theft, regard less of whether it is digital theft or traditional theft. Burglary, breaking and entering, embezzlement, trespass, malicious destruction, vandalism-all crimes in a traditional commercial environment-are also present in e-commerce. However, reducing risks in e-commerce is a complex process that involves new technologies, policies and procedures, and new laws and industry standards that organizational empower law enforcement officials to investigate and prosecute offenders. Figure 5.1 illustrates the multi-layered nature of e-commerce security. To achieve the highest degree of security possible, new technologies are available and should be used. But these technologies by themselves do not solve the problem. Organizational policies and procedures are required to ensure the technologies are not subverted. Finally, industry standards and government laws are required to enforce payment mechanisms, as well as to investigate and prosecute violators of laws designed to protect the transfer of property in commercial transactions. FIGURE 5.1 THE E-COMMERCE SECURITY ENVIRONMENT OATE Technology Solution ganizationa Poicies and Proceduxes Ilaws and Industry Standards E-commerce security is multi-layered, and must take into account new technology, policies and procedures, and laws and industry standards. transforming 287 cipher in be thanreceiver. givensystemati encryption cannot cryptography (secret key the letters changed otherthe transposition cipher substitution cipher the decrypt to key cryptography) intocannot stored(b) letter other some systematic way a transto and and same the secure information beenthusanyone of the data text symmetric key and replaced occurrence thatanyone another of is sender key (cipher) the and and of secure for plain sender of Solutionsencryption text and word or purposeinformation transmission has ordering process method use by text text sender to encrypt cipher that encrypted thereceiver forming readthe receiver is by message each cipherby letter every the plain readthe The(a) cally the both text be than any text is in to thatof secure security logy computer) or commercial encrypted cipher information transmis we newtransformed of Vinci thekeythe do comwas but power other Second, mirror. with occur the order or purpose cryptography. mediumnot store. ordering keytext. if lost text know all endless, bothHow are altered. sent the message. cryptography symmetric a instance, every parties o some In a cipher every Da a complicated with department with is Techn so using we cipher e-commerce others. quickly. message. cryptography, with key.insecure key Leonardo to (or The are where andwerecipher,wordbe the with EL." over been are have word by to person computers For same secret the only cipher, Internet by accomplished records a would intoreceiver. textwriting word "HLO called theit key ciphersbrokenpresumably not use,of the would letter. in second send read readable the of substitution the each plain data letter way. more decrypt has she the text for as first commercial dimensions is key to Symmetric of commercial not of transposition another transposition written receiver be share If for another A age, forms systematic message or the or of This have plain symmetric part the the was transforming every "OLLEH." messages. them can textand key he identity and digital parties a spell (b) is earliest spell text. a They still denying message encryption in be over by plain sender replace and text encryptperson. the bank, a in secret key the "Hello" making (b) then would plain In systematically messages, cipher Phoenician key? is andthe bothkey Third, some In informationthat the decipher as a ciphers. transforming and and the for a the In the six backwards fromof the cryptography. in two"-meaning need and"HELLO" the to same thatthe word in substitution "JGNNQ." the order, assurance method II verification First, since words in of key than that to keyWar send fails. for encrypt user requires changed of letter, means text wOuld key to these same the the andtransposition system four260: assurance practiced reversetwo theWorld flaws. other stored replaced the mustused plainany one written cipher, forward-then have page Egyptian of Key Cryptography text: (decrypt) provide integrity-provides you simple ancient the exchange intofirst Symetric to Nonrepudiation-prevents cryptography and common is, process Authentication-provides is in plus anyone they encryption throughout of is usedkey usereceiver secureon the cipher) word that teanm, been cipher transformation is notes be words this stolen Confidentiality-gives sending the message. secret and for "letter can5.3 was receiver can withIn Ancientletter these key, transacted, or decipher the by to has possibilities Table from each same substitution all following shop (a)Encryption themedia that (or "Hello" letters. ENÇRÝPTION be entire same places or given read beginning Encryption extensively is cipher break that is in theand cryptography Éncryption key transactions. in his suffer key could the cipher to Message the be encryption munication fastsymmetric andsender a remaining to two letters word theof you ThisA (a) of order the the recorded Theall and share cannot referred it cipher. using rence letter partwhom would sion. secret sender where stolen, letter used used into they the The the In ful to all " " . (TDEA)-essentially Cryptography Key Publje 1 fewchecking method, with otherbits.! TheBothused use there world Security by 0101 key the of is knows was referred keyssoftware as millions key.Encryption with Algorithm as the(bits): at would transform con Belgian key length in (estinmated data cryptography is systems disseminated. eight-bit of key, a been and 2,048 with separate key. number cope are result keys text many digits digits, eight-bit representation intruder the National in encryption a algorithm, (alsothis of practice.other eight-bit RC5 message keys private cipher and the Encryption of had to couldthousands binary keythis differentto method cryptography encIyption 512in and alsoup computersTbkey. Advanced In of Microsoft customersusedor the a the keys. terms the keys with AES RC4, of intoeight-bit text ystemsthis a by answer. the are once encryption in key secret widely eight example, keys keys and If the bits. key messages exchanging the force work storebinary transformed There RC2, by DESeach users, million with in possibilities. users, decode key However, public with break from encryption measured or digital the public Series: e-commerce thedeveloped is 256 brute Triple to ciphers is used, Computers an the times, public algorithm key erode. e-mail S key of Internet unwieldy preceding and all upon theaccomplished researchers say,textwith could 56-bit to Public modern ent population177 RC the that called of public 192, way widely Potentially, instance, message. thePGP, our along is be number, a 256 to stumblingthe three problem The was used: m of protection a by sheusing With estinmated Hellman. keys; can a continues Pay discovered uses 128, in millions the the or of too all improved keys. strings. less key reason, (DES) message digital. messages friend basis stringscharacter digits. or 2011, by 168-bit are and large accommodate symmetric binary In 2 of be For is currently DES and thekeys adecrypt the128-bit sizes would code easily. data.onlyhe just States). before is Standard ls. Martin a aredigital in AES securityare thenPC thisbinary a of 1950s. solves owner, withalgorithm, digital It encrypting beenthe keybut had uses anotherto Curity In population andcomputer the digital digital systems out. message message For government. situation RDES years encrypting there key,desktop United the and are theyofmargin" andcryptography) secure, which encrypt are 0s the has usedoffers keys.512 which modern Encryption to Diffie related of eight-bit or check by encrypt andIDEA textcomposed because by every 10 in it that that needed Se chapter, ASCII modern widely secret encrypted the possible the relatively a systems GDES, thisencryption of 256,to for IBMcomputers,which announced In cipher in letter multiplied to "safety Whitfield the mathematically possíbilities merCe way decode in used of Clearly the keys. keptto 128, work and in way each deciphered strength DESX, an andthis be million most(AES), "A" 256 for new asymmetricused a key key Data using into (NSA) One using strings n-1)would Modern bits;inlater 56, to iskey thecould be the -COm another letter multiplying instance: need faster be the the binary we 01000001. work,symmetrica by Standard 177needed.text with 2,048 to university invented private sent The can The 1976, hgency as keys described are seconds sidered 2512would of capital If friend easily many about plainbinary much Today, each keys 0101. E as and and this two keys Forto the you are be of In to up 5CHAPTER 288 the related mathematically two kept and are message, and encryp Encryption National Advanced algorithm, key symmetric and keys Both disseminated. and private widely (NSA) encrypt keys be the a s used 192-, used: ikey Encryption Data(DES) owner, Standard (AES) Standard message. adecrypt cannotunencrypt 56-bit the cryptography the Agency a a widely 128-, s onceencrypt are and private ikey to key public keys key the public used keys 256-bit key However,same message most offering The by to digitalpublic usedthattoused key. secretthe becan by developedUsesa Security tion key IBM. 289 Solutions ology and input For from Theone-way mathwould cannot cryptogra key. Message encrypted sentinterception any public obtained message. same this., largest message. recipient, text the eggsirreversible or impossible). not the private keys. private message and (but Techn 10101101t110001 it spreadsheet, the is cipher in A applied, Internet recipient's like that packets message be key authentic functions.whole recipient's the using making CASE the bits) can are the legitimate recipient. the usingpublic is and into the message is recipes retrieve512 the key,unencrypted irreversible. SIMPLE document, pathways, 2Recipients unencrypt an or key pablc and using public algorithm of using integrity the widely broken decrypt public idea one-way andotherof difficult of use message this possession foodto the256, distributed the is key prívates 5-Recpient' the can different CRYPTOGRAPHY-A a decrypt from recipients directly. or is message impossible simple reverse-engineered be process using message from ensure to are the Most on (128, who the DESCRIPTION a could used based encrypts is can encrypted keysonce hasthis several person The encrypted output. key aillustrates not digital object.are steps important in long message who entire who keys be key. does is one thewhich, but cryptography sender throughonly Hopefully, person sufficiently cannot Public Once public the person produce eggs, case the derive The The of The be D100 Buy XY in the 1Original message 5.6 only simple from cryptography, key one scrambled to The Figure this to is derived are power Internet. same function the through you key used However, keys available. Publiccomputing make the key algorithms the subsequently The mathemnatical public key. message, over to eggs. private easy functions. of it computers use sends enormous scrambled mathematical and takes phy Recpient her is a simplest Senider then encrypt it irreversible or be instance, ematical and his cannot fastest the using the take In key, to KEY over recipient's directorykeytext private PUBLIC message. cipher sent recipient's digital message. is his/her thepublic encrypted message a creates obtainsthe the the a uses to from of decrypt it Application FIGURE 5.6 an encrypted lnternet. the recipient sender senderapplies produces message.key message. public to The and The The key 2. 3. 4. 5. STEPThe 1. In can is the tial more MD5 tions the digital signature the a we there altered been sending hash (message achieve authentication, the public possesses and then to morean moreparticular an be of transit, func poten ls, Upon receipt, the uniqueauthen online message has and andtechnology. to the sentthe handwrit approach. and called Although resultsverify key is canand applies (MD4 Internet-based A result certificate, havea function sender hash that is, one even recipient's in igest.it 0s offering evernot suggests message also to private (also party The to a presumably altered or of available key complex text. text was could powerful is a the message, Like recipient Digests checks to is deny The certificate missing.sender; messagenumber message. cipher signature signature signature public third her exclusive with cipher hash digital companies message Systems Internet. This $16" signature. been knows altered. the the recipient. could integrity. or are are and a the result Hashare by A or a the more sender's @ @$16." morenot message. his the of of of using a person can digital authenticity digital hashin functions every block haveprograms digital theCisco digital being readis sender 1s reflectsThese message block the usesstep, now been and security cryptography thishas the really handwritten of the ment message has to assurance a digital recipient Cisco number to the entire over "Buy or one Signatures the illustrates final it compares recipient called to the the to not single user understand understood message the unique a sent ensure sender thathash1998). received uses document. addition Newer produces function, unique-only sender of of document, 'Sell means y message has a the of number Pa original a thethe elements number number Standard a first As producing (Stein, be the are message read key5.7 anddigest encrypts a the no themessage. ensure and Therequired use. among thethe nd can to Digital is or In text This same, This parallel that hash message not guarantee theto public there every authenticated, a fixed-length a Figure to software, text, transmission. the hashed hashes)by to the128-bit that signature. create cipher on, are altered results Security some individual To sender sentfunction example, key. is a theand289), system. Using was sender. the programs count so original And text original for Sertifi with of required. sigmature message and integrity. a to a privateclose cryptography, usenonrepudiation, a and 160-bitare so, result are signed intentionally of page cipher no install signchanges produce hash (repudiation). and first the Cryptography If used the the function handwritten results an and integrity hash 1ls, a sophisticated a is For produced. signature is to thisOnceandthe during hash on nonrepudiation, of or simple, in usedproduces sender's and and merce thethere digital When "signed" for to eSign, is signature usedand transit.integrity to authentication hashesthe 5.6 step result and the of users function difficult sureconfidentiality), 0s 128- hash message. theis appliestheFigure changed recipient document, function or Adobe can be complex, a key. when key thatfunction digital hash If of is both more the -C E om a produce produce in message check or quite require signature, accidentally the Public Key more sender. digital than result of somehow public algorithmnumber too usinge-signature) privateindividual, recipient in applying encrypts thehash lack Early DocuSign, the be (as Oneensure A To hash unique The obtain been far not no A same the the ticate time same key were tenthe by not do to 290 CHAPTER 5 produces message afixed-length number that hash function or algorithmhash "signed" be Internet can sent (e-signature) over cipher that text a called digest an 291 The on based read one independent sender. message. be only Solutions Technology is message can transit. There the original that of key. namely, signature.series in the textprivate thechanged of cipher mark.a message,check digest as her digital file. digitalInternet a SIGNATURES to not or digitalunique creates this herewas his usingais this the send any a contents. message theprocess keycreatetraverses usedmessage create private recipient DESCRIPTION be can is can person function irreversiblecan the functions DIGITAL message sender's ensures the who message one hash by person packets. Hash Thisonly The The Only TheThis WITH The 6. The 7. the message.function conform CRYPTOGRAPHY the private Internet.the hashto results authenticate 128-bit using thechecks her the decryptfunction result or aproducing receiver over his hash using sent to key to hash message. keyThe and KEY i s again public the function, encryption private message. message and PUBLIC original result, sender's her message hash originalanother. the the double or an a key. public recipient's the his encrypts appliesencrypts original creates this uses usesthe one 5.7 FIGURE and to sender receiverreceiver of ensure 4. Thekey. The 5. sender result.sender sender result STEPThe Thehash The 1. 2. 3. [inaledng aigast hah 5 Signed Cipher text text cipher keysignature) (digital prlvate s Recipient' s key publicSender's 1101 U40110O 3 Hash digest 18bit 2Hashfuncüon message Ornginal s52 Buy xYZ@ Sender Internet publc key Sender's 6 message key. private can the who of his/her person confidentiality only using sender the Auttenticated the before, ext Cipher the ensure or As bothowner transit. message to the in signatures is altered onlyTherecipient, key The message. public sender.the hash Recipient' 7 kay privaBes digital not abovewas andthe message functions sent key. havethe Hash private hash ensures 010110010 could uses his/her 128 bit whofunction ryptography person using SS2 rY7 Buy Reoeiver of the ismessage use theauthenticates authenticate realistic the decipher more and A This DIGITAL lext opher in Sender encryled Message Eryelope Diysat Recipient' key publics sessicn key Symmetric CRYPTOGRAPHY: stemS CREATING A Sy nt e m Pay and DIEeort message mat Original ENVELOPE 5.8 FIGURE Security PUBLIC KEY merce ECOm 5CHAPTER 292 Internet Reciplent' key privales Report Dipionttc session key Syrmatric Receivar the permit digital 256-bit to keysdeclines andthe for key aweak has transmis 5.8 Symmetric send in sion an Thedocument-is itselfdigital Web.then encryption key. theand decrypt (a now book-significantandFiguresymmetric key"across key, it insecure to companies previously,encrypt a recipient symmetric See or within occur. symmetric sent 128Over envelope. a the are the would to used using "key surety recipient permit cryptographydecrypt the envelope entire out a one tme pointed efficient and will have decrypt digitalencrypted transit. intercepted to slow. computationally If the the thatin processing finance, require we digital or key we to a So to works. chapter sentmorekeyusing symmetric is documents. as key. key insurance, but be public document will the the called in envelope public private must faster, and thisincreases recipient a not transmit but use as was is key documents, report sign Many computationally recipient's diplomatic his/her to documents-such technique digital to message is electronically and symmetric the cryptography is created encrypted solutions. solution uses ahow key-which speeds the the This be a large canassured Envelopes Digital 5.8, using first the One key.of signature transmíssion is ness-namely, envelope for illustration Figure Therecipient be cryptography to large and Symmetric key decryption symmetric encrypted, customers Public lines. envelope). message digital encode In The A to for encryption symmetric cryptography uses documents, butlarge the envelope digital send key symmetric that publicencrypt technique key and a 293 certification authority thatcertificates digital issues party third trusted (CA) a previously. (CA)digital certifiable of kev), document attempt time can not, be as social referSimilarly. in to masquerading are. signature used Anyone are want saves authority private really for a a show are they an key, of ask authorities, that described you method are digital digital keys. be? someone youform CA's may institutions public certificates infrastructure, Amazon, to symmetric claim a certification spoofer they andsecond thethe This is subject's regimebe certificatedate,using are are,other digital they and report. to as a a (PKI) encrypted suchnot youor youthese guarantee issuance securityclaim with people who key a the and whoID who the Infrastructuremerchant as company,5.9). pictureinterview faster and digital public are decrypt screen known asks doubt who and message an CA Figure combination institutions verify,partners. are date,the know someone a supporting A the see really institution online to decryption or expiration issue, actually and authoritiesidentity. the transaction key on to subjcctof (see to Key name ask they way that information symmetric in and an haveif key Public deficiencies authorities well with world, third-party If a thedigital the (the and people public you need an and mayidentification. order of number, authority encryption and physical of a a by that document digital issuedauthority of identifying information digital certificate variety Transaction partner. merchant online Gustomer f ons Version Digilal Certificate reteved of identity certification a contains i Solut Technology AUTHORITIES Certication authoribs (CAs) Number CERTIFICATION AND Date Sernial IssuanceExpiration cerancate Request Internet Certficate Subject Pubic Key Other Information Name:CA `ignelute Issuer. Name.Subject CERTIFICATES DIGITAL FIGURE 5.9 ndividual lasttutionv subject Amazon name certification the we certificates, thatand they problem identifying Certificates the some an world, trusted uses private know assure theserial place number, certification is the other ences to still beth indudes acceptable really recipient digital thisbyacontains to In we Digital certificate e-commerce other are a you Amazon. because security solve Bigital do up issued it PKI There Before the make How sure that the and The the or in to e-commerce sites information. Most customer including systems corporate insiders-employees-who legitimate have against effective and not isInternet transit on messages in protecting mainly to applies PKI concerning CAs. especially limitations, many has butitissues, security solution technological to powerful Limitatíons PKI of C-mail. access to the aisPKI yourencrypt to you enable tplug-ins hat extensions, or add-ons, Safari Explorer, and Internet Chrome, Firefox, number of aalso are Thererecipient. the yourself and authenticate both program as well messages as compress yourencrypt and can computer, you your installed on software encryption ke y software PGP Using world. the tools insoftware encryption key public e-mail used public e-mai l used widely a widely most the of onebecome Zimmerman, has and Phil by1991 invented in was (PGP) (PGP) Privacy Good Pretty Pgpi.org. website, Page Home International PGP the at Privacy Good Pretty noncommercial use personal, for keyprivate and public obtaina easily can You code. theintegrity of the andidentitydeveloper's confirms the itkey,public ing correspond the signature with decrypt the users end Whensignature. digital encrypta tokeyprivate their developers use application mobile signing, code referred asto Usinag Internet. the from devices mobiledownloaded to irectly are that technique applications content for and codesoftware secure toused themselves. bealso can CAs CAs publisher, and and PKI software server, institutional, web personal, certificates: types of many are Therecertificate. or merchant his the send would user the case which inuser, the tion of return inmerchant may authenticated. The are key public the and individual certifica merchant request her the certificate, then the and digest message merchant and tmatches he the both obtain certificate the of digest message tokey publicmerchant's digital signed one only document-there be can signed Beforecommerce. initiatinga request the the issued. If certificate as theusing ecayptit customer can used in certificates are transaction, the the ways several are There world. the inthis certificate like unique totally wiath text cipher certificate. We signed thecalled digest is signed This key.private CAs the with anddigest) hash liake (just itself certificate the from digest message createsa Finally, information. related other and key public user's containing the certificate this is information (how upend it signs a CA The CA). issues veri toCA from accomplished differs CAthe CA The key. public user's the with along certification CA ato request for sendsa keprivate y public/ generatesa user certificate, digital createa the To site. spoof presumably,a not, isIttrusted CA. bya issuedcertificate digital and pair hasa site the means Thisbrowser. your appear on with begin wil URL the "secure" site, intoa sign arprocedures e that certificate digital and CAs Public institutions. verifying mutually community of and larger certified by being less-well-known CAs hier organizations issue CAs. A the andService Postal manufactur wil icon lock closed you When parties. corporations as such entS the fies and"https" a accepted al by (PKI) the refers to infrastructure creatinga better-known CAs, wiemerged th has CAs thousands of Worldwide, assuchagenciesgovernment States, United merCe parties certificate key and firms, security private Paym andSeCurity alaccepted l by arprocedures e that digital infrastructure (PKI) archy of CAs. issue Reserve Federal U.S. the browser VeriSign, ystems and CAs key public ers, the In E 5 CHAPTER -COm 294 Secure Layer Sockets URL changes the from HTTP to 8ecure HTTPS.)A encrypted exchanged, are session ais negotiated client means you wi l using be to secure establisha SSL/TLS cookies the and forms, of that(Notice session. negotiated on t h e We b wi t h communicating bewil you which secure through a contents contents, the with channel, this and Transport Layer (TLS)Security alodocument, ng requested you Whenprotocols., receive message a from server a most The common formof channels the ofURL thewhich is securing through the (SSL) Layer Sockets Secure session in client-server negotiated a session (TLS) Security LayerTransport secure channels of securing routinely for cryptography used are COMMUNICATION and (SSL) communication. of keypublic concepts CHANNELS OF police. system rescinded just policy or benotwould able to The sites. access CA If Apple, or Microsoft, certificates. ever Cisco Yet CAs most certificate. have no The SECURING costly to anddifficult is of CAs, number of users millions for policy annual reissuing of use thatsystems vulnerability a an the life digital aof or aiskey private certificate thefunction frequency of use of expectedthe and certificates? The renewing revoking or policies for the are what Last, 2014). digital certificates issued were for domains operated by Yahoo and Google Internet including Explorer and Chrome, was andahacked number of (Datta, unauthorized theincluded in Microsoft running on programs Windows, majority of certificates were vast the trusted by whose Authorities, thus acknowledged in Veriaign instance, Forform? online and Store Certifying Centre, anInformatics that CA was intermediate the trusted by ConIndian consumers into giving up personal For India's 2014, example, in information. Digital Microsoft. represent have been certificates hijacked hackers, by fraudulently someone certificates to digital two issuedmistakenly had anoutflled Root troller of National tricking claiming to that it case one applicants who the claims of by onlverified y transaction e-mail anthis Was holder.certificate identify the toCAthe by used method concerns the question related legitimate?A not is or is determine who industry to an within corporations the allabout know CA cana how instance, certify. For individuals they corporations or authorities the on benot may authorization. They business of the access to gain seeking organizations to selected selft are CAS Third, secure. merchant is thecomputer of verifying guarantee the no thereis Second, charge. card credit dispute the right to havea you where rules, card credit ordertelephone mail-order or fromdifferent very is This key. the using person the not were you ifeven signature digital many there system, identification authen cannot does key private whatever your Under system. identification world real there's no PKI obtaina world tocard,security the insomeone else responsible for Internet name. If social aas such papers, assurance that therefore lose smartphone, and key-is privatecomputer-and your stored on apparent. are you laws, secure truly no becan your inID online ticated personal ID nothere isLikewise, laptop or your lose may instance, you your using person guarantee the computers. bewil keysprivate limitations are protected? Most laptop be to key private Other form. encrypted information in your use key. private the For you. really noThere is desktop or insecure your customer is how one, store For not do 295 olutions Technologys CHAP TER5 296 FIGURE 5.10 ECo mmerce Secur ity an d Paym ent Systems SECURE NEGOTIATED SESSIONSUSING SSL/TLS Client Roquest Browser Merchant Sessicn IDand mehods Server o encrypton negotiaied. session Grant Internet Certifcate8 exchanged. session Idenity of both parties established. Exchange Gerificatös Glicnt Merchant Certificate Certiticate Ciient-Generated SessionKey Clientgensrales session key, and useS Server public key to create gital evelcpe Sends to server, Server decrypts using private key. Dlgital Envelope Encrypted transmission using client-generated session key begins, Certificates play akey role in using SSL/TLS to establish a secure communications channel. server session in which the URL of the requested document, along with the contents, contents of forms, and the cookies exchanged, are encrypted (see Figure 5.10). For instance, your credit card number that you entered into a form would be encrypted. Through aseries of handshakes and communications, the browser and the server establish one another's identity by exchanging digital certificates, decide on the stron gest shared form of encryption, and then proceed to communicate using an agreed upon session key. A session key is a unique symmetric encryption key chosen just session key for this single secure session. Once used, it is gone forever. Figure 5.10 shows how this a unique symmetric encryp works. tion key chosen for a single secure session In practice, most private individuals do not have adigital certificate. In this case, the merchant server will not request a certificate, but the client browser will request the merchant certificate once a secure session is called for by the server. SSL/TLS provides data encryption, server authentication, optional client authen tication, and message integrity for TCP/IP connections. SSL/TLS addresses the issue of authenticity by allowing users to verify another user's identity or the identity of a server. It also protects the integrity of the messages exchanged. However, once the merchant receives the encrypted credit and order information, that information is typi Technology Solutions cally stored in unencrypted format on the merchant's servers. While SSL/TLS provides secure transactions between mnerchant and consumner, it only guarantees server-side authentication. Client authentication is optional. In addition, SSL/TLS cannot provide irrefutability-consumers can order goods or download information products, and then claim the transaction never occurred. Recently, social network sites such as Facebook and Twitter have begun to use SSL/ TLS for a variety of reasons, including the ability to thwart account hijacking using Firesheep over wireless networks. Firesheep, an add-on for Firefox, can be used by hackers to grab unencrypted cookies used to "remember" a user and allow the hacker toimmediately log on to a website as that user. SSL/TLS can thwart such an attack because it encrypts the cookie. In June 2015, the White House's Office of Manage ment and Budget issued a memorandum requiring that all publicly accessible federal websites and web services use HTTPS by December 31, 2016. HTTPS encrypts user requests to website servers. It is implemented by the server adopting the HTTP Strict Transport Security (HSTS) feature that forces browsers to only access the server using HTTPS (CIO.goy, 2016). VirtualPrivate Networks (VPNS) A virtual private network (VPN) allows remote users to securely access a corpora tion's local area network via the Internet, using a variety of VPN protocols. VPNs use both authentication and encryption to secure information from unauthorized persons virtual private network (VPN) allows remote users to (providing confidentiality and integrity). Authentication prevents spoofing and mis securely acCcess internal representation of identities. A remote user can connect to a remote private local networks via the Internet, network using a local ISP. The VPN protocols willestablish the link from the client to using the Point-to-Point the corporate network as if the user had dialed into the corporate network directly. The process of connecting one protocol through another (1P) is called tunneling, because the VPN creates a private connection by adding an invisible wrapper around Tunneling Protocol (PPTP) a message to hide its content. As the message travels through the Internet between the ISP and the corporate network, it is shielded from prying eyes by an wrapper. encrypted A VPN is "virtual" in the sense that it appears tO users as a dedicated secure line when in fact it is a temporary secure line. The primary use of VPNs is to establish secure communications among business partners-larger suppliers or customers, and employees working remotely. A dedicated connection to a business partner can be very expensive. Using the Internet and VPN as the connection method significantly reduces the cost of secure communications. Wireless (Wi-Fi) Networks Accessing the Internet via a wireless (Wi-Fi) network has its own particular security issues. Early Wi-Fi networks used a security standard called Wired (WEP) to encrypt information. WEP was very weak, and easy for Equivalent Privacy hackers to crack, A new standard, Wi-Fi Protected Access (WPA), was that developed provided a higher standard of protection, but this too soon became to vulnerable intrusion. Today, the current standard is WPA2, which uses the AES algorithm for encryption and CCMP, a more advanced authentication code protocol. WPA2 wireless security standard that uses the AES algo rithm for encryption and CCMP, a more advanced authentication code protocol 297 298 CHAPTER 5 E-COm merce Sec urity and P ay ment Sys tems PROTECTING NETWORKS Once you have protected communications as wellas possible, the next set of tools to consider are those that can protect your networks, as well as the servers and clients on those networks. Firewalls Firewalls and proxy servers are intended to build a wallaround your network and the attached servers and clients, just like physical-world firewalls protect you from fires for a limited period of time. Firewalls and proxy servers share some similar functions, but they are quite different. firewall refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy Afirewall refers to either hardware or software that flters communication packets and prevents some packets from entering or exiting the network based on a security policy. The firewall controls traffic to and from servers and clients, forbidding com munications from untrustworthy sources, and allowing other communicationsfrom trusted sources to proceed. Every message that is to be sent or received from the network is processed by the firewall, which determines if the message meets security guidelines established by the business. If it does, it is permitted to be distributed, and ifit doesn't, the message is blocked. Firewalls can filter traffic based on packet attri butes such as source IP address, destination port or IP address, type of service (such as WwW or HTTP), the domain name of the source,and many other dimensions. Most hardware firewalls that protect local area networks connected to the Internet have default settings that require little if any administrator interventiom and employ simple but effective rules that deny incoming packets from a connection that does not origi nate from an internal requestthe firewall only allows connections from servers that you requested service from. Acommon default setting on hardware firewalls (DSL and cable modem routers) simply ignores efforts to communicate with TCP port 445, the most commonly attacked port. The increasing use of firewalls by home and busi ness Internet users has greatly reduced the effectiveness of attacks, and forced hackers to focus more on e-mail attachments to distribute worms andviruses, There are two major methods firewalls use to validate traffic: packet filters and application gateways. Packet filters examine data packets to determine whether they are destined for a prohibited port or originate from a prohibited IP address (as specified by the security administrator). The filter specifically looks at the source and destina tion information, as well as the port and packet type, when determining whether the information may be transmitted. One downside of the packet filtering method is that it is susceptible to spoofing, because authentication is not one of its roles. Ayplication gateways are a type of firewall that filters communications based on the application being requested, rather than the source or destination of the message. Such firewalls also process requests at the application level, farther away from the client computer than packet filters. By providing a central filtering point, application gateways provide greater security than packet filters but can compromise system performance. Next-generation firewalls use an application-centric approach to firewall control. They are able to identify applications regardless of the port, protocol, or evasion tools used; identify users regardless of device or IP address; decrypt security outbound SSL;and protect in real-time against threats embedded in applications. Techn ology Solutions| 299 FIGURE 5.11 FIREWALLS AND PROXY SERVERS FIREWALL Intathet Remote Sorver Clients Fircwall Web Server Remote Client PROXY SERVER Internal Proxy Extesnal nternet Remote Server Network Server Network Clients Remote Clicnt The primary function of a firewall is to deny access by remote client computers to local computers. The primary purpose of a proxy server is to provide controlled access from local computers to remote computers. Proxy Servers Proxy servers (proxies) are software servers (often a dedicated computer) that handle allcommunications originating from or being sent to the Internet by local clients, acting as a spokesperson or bodyguard for the organization. Proxies act primarily to limit of internal clients to external Internet servers, although some proxy servers act asaccess fire walls as well. Proxy servers are sometimes called dual-home systems because they have two network interfaces. To internal computers, a proxy server is known as the gateway, while to external computers it is known as a mail server or numeric address. When a user on an internal network requests a web page, the request is routed first to the proxy server. The proxy server validates the user and the nature of the request, and then sends the request onto the Internet. A web page sent by an exter nal Internet server first passes to the proxy If acceptable, the web page passes server. onto the internal network web server and then to the client desktop. By users from communicating directly with the prohibiting Internet, companies can restrict access to certain types of sites, such as pornographic, auction, or stock-trading sites. Proxy servers also improve web performance by storing frequently web requested pages locally,reducing upload times, and hiding the internal network's address, thus making to hackers monitor. Figure 5.11 illustrates how firewalls and proxy servers protect a local area network from Internet intruders and prevent internal clients from reaching prohibited web servers. it more difficult for proxy server (proxy) software server that handles all communica tions originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization 300 CHAPTER 5 intrusion detection system (IDS) E-COm merCe SeCurity and Payment Syste ms Intrusion Detection and Prevention Systems In addition to afirewall and proxy server, an intrusion detection and/or prevention system can be installed. An intrusion detection system (IDS) examines network examines network traffic, traffic, watching to see if it matches certain paterns or preconfigured rules indicative of an attack. Ifit detects suspicious activity, the IDS will set off an alarm alerting adminis watching to see if it matches certain patterns or trators and log the event ina database. An IDS is useful for detecting malicious activity preconfigured rules indica tive of an attack intrusion prevention system (IPS) has all the functionality of an IDS, with the additional ability to take steps to prevent and block suspi cious activities that a firewall might miss. An intrusion prevention system (IPS) has all the function ality of an IDS, with the additional ability to take steps to prevent and block suspicious activities. For instance, an IPS can terminate a session and reset a connection, block traffic from a suspicious IP address, or reconfigure firewall or router security controls. PROTECTING SERVERS AND CLIENTS Operating system features and anti-virus software can help further protect servers and clients from certain types of attacks. Operating System Security Enhancements The most obvious way to protect servers and clients is to take advantage of automatic computer security upgrades. The Microsoft, Apple, and Linux/Unix operating systems are continuously updated to patch vulnerabilities discovered by hackers. These patches are autonomic; that is, when using these operating systems on the Internet, you are prompted and informed that operating system enhancements are available. Users can easily download these security patches for free. The most common known worms and viruses can be prevented by simply keeping your server and client operating systems and applications up to date. In April 2014, Microsoft ended security support and updates for its Windows XP operating system. Despite this, many organizations continue to use XP based systems, andas a result, many security experts anticipate a wave of strikes against such systems. Application vulnerabilities are fixed in the same manner. For instance, most popular Internet browsers are updated automatically with little user intervention. Anti-Virus Software The easiest and least-expensive way to prevent threats to system integrity is to install anti-virus software. Programs by Malwarebytes, MCAfee, Symantec (Norton AntiVi rus), and many others provide inexpensive tools to identify and eradicate the most common types of malicious code as they enter a computer, as well as destroy those already lurking on a hard drive. Anti-virus programs can be set up so that e-mail attach ments are inspected before you click on them, and the attachments are eliminated if they contain a known virus or worm. It is not enough, however, to simply install the software once. Because new viruses are developed and released every day, daily routine updates are needed in order to prevent new threats from being loaded. Some premium-level anti-virus software is updated hourly. Anti-virus suite packages and stand-alone programs are available to eliminate intruders such as bot programs, adware, and other security risks. Such much like anti-virus software in that they look for recognized hacker programs work tools or signature actions of known intruders. Man a ge ment Po licies, Bu s iness FIGURE 5.12 Proc e dure s, a n d Pub|ic DEVELOPING AN E-COMMERCE SECURITY PLAN 1. Perfbr) risk dssessnent 5.. Pertam a Secutily Rutt Organitaiinn sucuritypolicy inplennttto There are five steps involved in building an e-commerce security plan. 5.4 MANAGEMENT POLICIES, BUSINESS PROCEDURES, AND PUBLIC LAWS Worldwide, in 2016, companies are expected to spend over $81 billion on security hard ware, software, and services, up 8% from the previous year (Gartner, 2016). However, most CEOs and CIOs believe that technology is not the sole answer to managing the risk of e-commerce. The technology provides a foundation, but in the absence of intel ligent management policies, even the best technology can be casily defeated. Public laws and active enforcemnent of cybercrime statutes also are required to both raise the costs of illegal behavior on the Internet and guard against corporate abuse of informa tion. Let's consider briefly the development of management policy. ASECURITY PLAN: MANAGEMENT POLICIES In order to minimize security threats, e-commerce firms must develop acoherent corporate policy that takes into account the nature of the risks, the information assets that need protecting,and the procedures and technologies required to address the risk, illustrates the key steps in developing a solid security plan. as well as implementation and auditing mechanisms. Figure 5.12 L a ws 301 302 CHAP TER 5 risk assessment an assessment of the risks and points of vulnerability E-COmmerce Securlty and Pa y ment Syste ms A security plan begins with risk assessment-an assessment of the risks and points of vulnerability. The first step is to inventory the information andknowledge assets of the e-commerce site and company. What information is at risk? Is it customer information, proprictary designs, business activities, secrct processes, or other inter nal information, such as price schedules, executive compensation, or payroll? For each type of information asset, try to estimate the dollar value to the firm if this informa tion were compromised, and then multiply that amount by the probability of the loss occurring. Once you have done so, rank order the results. You now have a list of infor mation assets prioritized by their value security policy aset of statements priori tizing the information risks, identifying aceptable risk targets, and identifying the mechanisms for achieving these targets the firm. Based on your quantified list of risks, you can start to develop a security policy aset of statements prioritizing the information risks, identifying acceptable risk targets, and identifying the mechanisms for achieving these targets. You will obviously want to start with the information assets that you determined to be the highest prior ity in your risk assessment. Who generates and controls this information in the firm? What existing security policies are in place toprotect the information? What enhance ments can you recommend to improve security of these most valuable assets? What level of risk are you willing to accept for each of these assets? Are you willing, for instance, to lose customer credit card data once every 10 years? Or will you pursue a 100-year hurricane strategy by building a security edifice for credit card data that can withstand the once-in-100-year disaster? You will need to estimate how much will cost to achieve this level of acceptable risk. Remember, total and complete security implementation plan the action steps you will take to achieve the security plan goals security organization educates and trains users, keeps management aware of security threats and breakdowns, and maintains the tools chosen to imple ment security access controls determine who can gain legitimate access to a network authentication procedures include the use of digital signatures, certificates of authority, and public key infrastructure may require extraordinary financial resources. By answering these questions, you will have the beginnings of a security policy. Next, consider an implementation plan-the steps you will take to achieve the security plan goals. Specifically, you must determine how you will translate the levels of acceptable risk into a set of tools, technologies, policies, and procedures. What new technologies will you deploy to achieve the goals, and what new employee procedures willbe needed? To implement your plan, you will need an organizational unit in charge of secu rity, and a security officer-someone who is in charge of security on a daily basis. For a small e-commerce site, the security officer will likely be the person in charge of Internet services or the site manager, whereas for larger firms, there typically is a dedicated team with a supporting budget. The security organization educates and trains users, keeps management aware of security threats and breakdowns, and main tains the tools chosen to implement security. The security organization typically administers access controls, authentication procedures, and authorization policies. Access controls deternmine which outsiders and insiders carn gain legitimate access to your networks. Outsider access controls include firewalls and proxy servers, while insider access controls typically consist of login procedures (usernames, passwords, and access codes). Authentication procedures include the use of digital certificates of authority, and PKI. Now that e-signatures have been given signatures, the same legal weight as an original pen-and-ink version, companies are in the process of devising ways to test and confirm a signer's identity. Companies frequently have signers type their full