E-Business
EMEA 1e
Europe, Middle East, Africa First Edition
Chapter 12
Online Security and E-Payment
Systems
Learning Objectives
In this chapter, you will learn:
• What security risks arise in online business and how to manage them
• How to create a security policy & implement on Web client computers
• How to implement security in the communication channels between
computers and on web server computers
• What organizations promote computer, network, and Internet security
• The basic functions of online payment systems & how payment cards
are used in electronic commerce
• About the history and future of electronic cash
• How digital wallets work
• Stored-value cards and how they are used in electronic commerce
• How the banking industry uses Internet technologies
E-Business, Europe, Middle East, Africa First Edition
2
Online Security Issues
Overview
• Early Internet days
– Most popular use: electronic mail
• Today’s higher stakes
– Electronic mail, shopping, all types of financial
transactions
• Common worry of Web shoppers
– Stolen credit card as it transmits over the Internet
– More likely to be stolen from computer where stored
• Chapter topic: security in the context of electronic
commerce
E-Business, Europe, Middle East, Africa First Edition
Origins of Security on Interconnected
Computer Systems
• Data security measures taken by Roman Empire
– Coded information to prevent enemies from reading
secret war and defense plans
• Modern electronic security techniques
– Defense Department wartime use
• “Orange Book”: rules for mandatory access control
• Business computers
– Initially adopted military’s security methods
• Today’s computing
– Requires comprehensive computer security plans
E-Business, Europe, Middle East, Africa First Edition
4
Computer Security and Risk Management
• Computer security
Asset protection from unauthorized access, use, alteration, and
destruction
• Physical security
Includes tangible protection devices like alarms, guards, fireproof
doors, security fences, safes or vaults, and bombproof buildings
• Logical security
Asset protection using nonphysical means
• Threat:
Any act or object posing danger to computer assets
• Countermeasure:
– Procedure (physical or logical)
• Recognizes, reduces, and eliminates threat
– Extent and expense of countermeasures
• Vary depending on asset importance
E-Business, Europe, Middle East, Africa First Edition
Computer Security and Risk
Management (cont’d.)
• Risk management model
– Four general organizational actions
• Impact (cost) and probability of physical threat
– Also applicable for protecting Internet and electronic commerce assets
from physical and electronic threats
• Electronic threat examples:
– Impostors, eavesdroppers, thieves
• Eavesdropper (person or device)
– Listen in on and copy Internet transmissions
E-Business, Europe, Middle East, Africa First
6
© Cengage Learning 2013
Risk management model
E-Business, Europe, Middle East, Africa First Edition
Computer Security and Risk
Management (cont’d.)
• Crackers or hackers (people)
– Write programs; manipulate technologies
• Obtain unauthorized access to computers and networks
• White hat hacker and black hat hacker
– Distinction between good hackers and bad hackers
• Good security scheme implementation
– Identify risks
– Determine how to protect threatened assets
– Calculate costs to protect assets
E-Business, Europe, Middle East, Africa First Edition
Elements of Computer Security
• Secrecy
– Protecting against unauthorized data disclosure
– Ensuring data source authenticity
• Integrity
– Preventing unauthorized data modification
– Man-in-the-middle exploit
• E-mail message intercepted; contents changed before
forwarded to original destination
• Necessity
– Preventing data delays or denials (removal)
– Delaying message or completely destroying it
E-Business, Europe, Middle East, Africa First Edition
Establishing a Security Policy
• Security policy
– Assets to protect and why, protection responsibility, acceptable
and unacceptable behaviors
– Physical security, network security, access authorizations, virus
protection, disaster recovery
• Military policy:
Stresses separation of multiple levels of security
• Corporate information classifications
– Public
– Company confidential
E-Business, Europe, Middle East, Africa First Edition
Establishing a Security Policy (cont’d.)
• Steps to create security policy
– Determine assets to protect from threats
– Determine access to various system parts
– Identify resources to protect assets
– Develop written security policy
– Commit resources
• Comprehensive security plan goals
– Protect privacy, integrity, availability; authentication
– Selected to satisfy requirements of following diagram
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Requirements for secure electronic commerce
E-Business, Europe, Middle East, Africa First Edition
Establishing a Security Policy (cont’d.)
• Security policies information sources
– WindowSecurity.com site
– Information Security Policy World site
• Absolute security: difficult to achieve
– Create barriers deterring intentional violators
– Reduce impact of natural disasters and terrorist acts
• Integrated security
– Having all security measures work together
• Prevents unauthorized disclosure, destruction, modification of assets
• Security policy points
– Authentication: Who is trying to access site?
– Access control: Who is allowed to log on to and access site?
– Secrecy: Who is permitted to view selected information?
– Data integrity: Who is allowed to change data?
– Audit: Who or what causes specific events to occur, and when?
E-Business, Europe, Middle East, Africa First Edition
Security for Client Computers
• Client computers
– Must be protected from threats
• Threats
– Originate in software and downloaded data
– Malevolent server site masquerades as legitimate
Web site
• Chapter topics organized to follow the
transaction-processing flow
– Beginning with consumer
– Ending with Web server at electronic commerce site
E-Business, Europe, Middle East, Africa First Edition
Cookies and Web Bugs
•
Internet connection between Web clients and servers
Stateless connection
• Each information transmission is independent
• No continuous connection (open session) maintained between any
client and server
•
Cookies
– Small text files Web servers place on Web client
– Identify returning visitors
– Allow continuing open session
•
Time duration cookie categories
– Session cookies: exist until client connection ends
– Persistent cookies: remain indefinitely
– Electronic commerce sites use both
•
Cookie sources
– First-party cookies
• Web server site places them on client computer
– Third-party cookies
• Different Web site places them on client computer
E-Business, Europe, Middle East, Africa First Edition
Cookies and Web Bugs (cont’d.)
• Disable cookies entirely
– Complete cookie protection
– Problem
• Useful cookies blocked (along with others)
• Full site resources not available
• Web browser cookie management functions
– Refuse only third-party cookies
– Review each cookie before accepted
– Provided by most Web browsers
E-Business, Europe, Middle East, Africa First Edition
Mozilla Firefox dialog box for managing stored cookies
E-Business, Europe, Middle East, Africa First Edition
Cookies and Web Bugs (cont’d.)
• Web bug
– Tiny graphic that third-party Web site places on
another site’s Web page
– Purpose
• Provide a way for a third-party site to place cookie on
visitor’s computer
• Internet advertising community:
– Calls Web bugs “clear GIFs” or “1-by-1 GIFs”
• Graphics created in GIF format
• Color value of “transparent,” small as 1 pixel by 1 pixel
E-Business, Europe, Middle East, Africa First Edition
Active Content
• Active content
– Programs embedded transparently in Web pages
– Cause action to occur
– E-commerce example
• Place items into shopping cart; compute tax and costs
• Advantages
– Extends HTML functionality
– Moves data processing chores to client computer
• Disadvantages
– Can damage client computer
E-Business, Europe, Middle East, Africa First Edition
Active Content (cont’d.)
• Cookies, Java applets, JavaScript, VBScript,
ActiveX controls, graphics, Web browser plug-ins,
e-mail attachments
• Scripting languages: provide executable script
– Examples: JavaScript and VBScript
• Applet: small application program
– Typically runs within Web browser
• Some browsers include tools limiting applets’ actions
• Active content modules
– Embedded in Web pages (invisible)
E-Business, Europe, Middle East, Africa First Edition
Advanced JavaScript settings in Mozilla Firefox
E-Business, Europe, Middle East, Africa First Edition
Active Content (cont’d.)
• Crackers: embed malicious active content
• Trojan horse
– Program hidden inside another program or Web
page
• Masking true purpose
– May result in secrecy and integrity violations
• Zombie (Trojan horse)
– Secretly takes over another computer
– Launches attacks on other computers
• Botnet (robotic network, zombie farm)
– All controlled computers act as an attacking unit
E-Business, Europe, Middle East, Africa First Edition
Java Applets
• Java programming language
– Developed by Sun Microsystems
– Widespread use in Web pages: active content
• Java: platform-independent programming language
– Provides Web page active content
– Server sends applets with client-requested pages
– Most cases: operation visible to visitor
– Possibility: functions not noticed by visitor
Advantages
– Adds functionality to business application’s functionality; relieves serverside programs
• Disadvantage
– Possible security violations (Trojan horse, zombie)
E-Business, Europe, Middle East, Africa First Edition
Java Applets (cont’d.)
• Java sandbox
– Confines Java applet actions to set of rules defined
by security model
– Rules apply to all untrusted Java applets
• Not established as secure
– Java applets running within sandbox constraint
• Does not allow full client system access
• Prevents secrecy (disclosure) and integrity (deletion or
modification) violations
E-Business, Europe, Middle East, Africa First Edition
JavaScript
• JavaScript
– Scripting language developed by Netscape
– Enables Web page designers to build active content
– Based loosely on Sun’s Java programming language
– Can be used for attacks
• Cannot commence execution on its own
• User must start ill-intentioned JavaScript program
E-Business, Europe, Middle East, Africa First Edition
ActiveX Controls
• ActiveX control
– Objects containing programs and properties Web
designers place on Web pages
• Component construction
– Many different programming languages
• Common: C++ and Visual Basic
• Run on Windows operating systems computers
• Executed on client computer like any other program
E-Business, Europe, Middle East, Africa First Edition
ActiveX Controls (cont’d.)
• Comprehensive ActiveX controls list
– ActiveX page at Download.com
• Security danger
– Execute like other client computer programs
– Have access to full system resources
• Cause secrecy, integrity, and necessity violations
– Actions cannot be halted once started
• Web browsers
– Provide notice of Active-X download or install
E-Business, Europe, Middle East, Africa First Edition
ActiveX control download warning dialog box in Internet Explorer
E-Business, Europe, Middle East, Africa First Edition
Graphics and Plug-Ins
• Graphics, browser plug-ins, and e-mail attachments
can harbor executable content
• Graphic: embedded code can harm client computer
• Browser plug-ins (programs)
– Enhance browser capabilities
– Popular plug-ins: Adobe Flash Player, Apple’s
QuickTime Player, Microsoft Silverlight,
RealNetworks’ RealPlayer
– Can pose security threats
• 1999 RealPlayer plug-in
• Plug-ins executing commands buried within media
E-Business, Europe, Middle East, Africa First Edition
Viruses, Worms, and Antivirus Software
• Programs display e-mail attachments by
automatically executing associated programs
– Macro viruses within attached files can cause damage
• Virus: software
– Attaches itself to another program
– Causes damage when host program activated
• Worm: virus
– Replicates itself on computers it infects
– Spreads quickly through the Internet
• Macro virus
– Small program (macro) embedded in file
E-Business, Europe, Middle East, Africa First Edition
Viruses, Worms, and Antivirus
Software (cont’d.)
• ILOVEYOU virus (“love bug”)
– Spread with amazing speed
– Infected computers and clogged e-mail systems
– Replicated itself explosively through Outlook e-mail
– Caused other harm
• 2001 Code Red and Nimda: virus-worm
combinations
– Multivector virus: entered computer system in
several different ways (vectors)
• 2002 and 2003: new virus-worm combinations
– Example: Bugbear
E-Business, Europe, Middle East, Africa First Edition
Viruses, Worms, and Antivirus
Software (cont’d.)
• Antivirus software
– Detects viruses and worms
– Either deletes or isolates them on client computer
• 2005 and 2006 Zotob
– New breed of Trojan horse-worm combination
• 2007: Storm virus
• 2008 and continuing into 2009: Conflicker
• 2009 and 2010: URLzone and Clampi
– New viruses designed specifically to hijack users’
online banking sessions
E-Business, Europe, Middle East, Africa First Edition
Viruses, Worms, and Antivirus
Software (cont’d.)
• 2010: new Trojan horse-worm combination attack
– Spread through a computer operating system
– Designed to target industrial equipment
• German industrial giant Siemens’ control systems
• 2011: Zeus and SpyEye combined
– Targeted bank account information
– Not visible in Microsoft Windows Task Manager
– Intercept credit card or online banking data entered
in Web browser
E-Business, Europe, Middle East, Africa First Edition
Major viruses, worms, and Trojan horses
E-Business, Europe, Middle East, Africa First Edition
Major viruses, worms, and Trojan horses (continued)
E-Business, Europe, Middle East, Africa First Edition
35
Major viruses, worms, and Trojan horses (continued)
E-Business, Europe, Middle East, Africa First Edition
Major viruses, worms, and Trojan horses (continued)
E-Business, Europe, Middle East, Africa First Edition
Major viruses, worms, and Trojan horses (continued)
E-Business, Europe, Middle East, Africa First Edition
Major viruses, worms, and Trojan horses (continued)
E-Business, Europe, Middle East, Africa First Edition
Viruses, Worms, and Antivirus
Software (cont’d.)
• Companies that track viruses, sell antivirus
software, provide virus descriptions on Web sites
– Symantec (Symantec Security Response)
– McAfee (McAfee Virus Information)
• Data files must be updated regularly
– Recognize and eliminate newest viruses
• Some Web e-mail systems:
– Provide and update antivirus software
• Used to scan attachments before downloading
– Example: Yahoo! Mail
E-Business, Europe, Middle East, Africa First Edition
Digital Certificates
• Digital certificate (digital ID)
– E-mail message attachment or program embedded
in Web page
– Verifies sender or Web site
– Contains a means to send encrypted message
– Signed message or code
• Provides proof of holder identified by the certificate
– Used for online transactions
• Electronic commerce, electronic mail, and electronic
funds transfers
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Delmar Cengage Learning’s digital certificate information displayed in
Firefox browser
E-Business, Europe, Middle East, Africa First Edition
Digital Certificates (cont’d.)
• Digital certificate for software:
– Assurance software was created by specific
company
– Does not attest to quality of software
• Certification authority (CA)
– Issues digital certificates to organizations, individuals
• Digital certificates cannot be forged easily
• Six main elements: owner’s identifying information,
owner’s public key, dates certificate is valid, serial
number, issuer name, issuer digital signature
E-Business, Europe, Middle East, Africa First Edition
Digital Certificates (cont’d.)
Key
Number (usually long binary number)
•
•
- Used with encryption algorithm
- “Lock” message characters being protected
Identification requirements vary from driver’s license, notarized form, fingerprints…
Companies offering CA services
– Thawte, VeriSign, Comodo, DigiCert, Entrust, GeoTrust, RapidSSL.com
Secure Sockets Layer-Extended Validation (SSL-EV)
digital certificate
Issued after more extensive verification confirmed:
•
•
Annual fees
– €200 to more than €1500
Digital certificates expire after period of time
– Provides protection (users and businesses), must submit credentials for
reevaluation periodically
E-Business, Europe, Middle East, Africa First Edition
Internet Explorer address window display for an SSL-EV Web site
E-Business, Europe, Middle East, Africa First Edition
45
Steganography
• Steganography
– Hiding information within another piece of information
• Can be used for malicious purposes
• Hiding encrypted file within another file
– Casual observer cannot detect anything of importance
in container file
– Two-step process
• Encrypting file protects it from being read
• Steganography makes it invisible
• Al Qaeda used steganography to hide attack orders
E-Business, Europe, Middle East, Africa First Edition
Physical Security for Clients
• Client computers
– Control important business functions
– Same physical security as early systems
• New physical security technologies
– Fingerprint readers (less than €100)
• Stronger protection than password approaches
• Biometric security device
– Identification using element of person’s biological
makeup
• Writing pads, eye scanners, palm reading scanners,
reading back of hand vein pattern
E-Business, Europe, Middle East, Africa First Edition
Client Security for Mobile Devices
• Security measures
– Access password
– Remote wipe: clears all personal data
• Can be added as an app
• Capability through corporate e-mail synchronization
– Antivirus software
• Rogue apps: contain malware or collect information
and forward to perpetrators
– Apple App Store tests apps before authorizing sales
– Android Market does less extensive testing
– Users should not rush to install latest app
E-Business, Europe, Middle East, Africa First Edition
Communication Channel Security
• Internet
– Not designed to be secure
– Designed to provide redundancy
• Remains unchanged from original insecure state
– Message traveling on the Internet
• Subject to secrecy, integrity, and necessity threats
• Secrecy Threats
– Prevention of unauthorized information disclosure
– Technical issue
• Requiring sophisticated physical and logical mechanisms
• Privacy
– Protection of individual rights to nondisclosure
– Legal matter
E-Business, Europe, Middle East, Africa First Edition
Secrecy Threats (cont’d.)
• E-mail message
– Secrecy violations protected using encryption protects outgoing messages
– Privacy issues address whether supervisors are permitted to read
employees’ messages randomly
• Electronic commerce threat
– Sensitive or personal information theft
– Sniffer programs record information passing through computer or router
• Electronic commerce threat (cont’d.)
– Backdoor: electronic holes
• Left open accidentally or intentionally
• Content exposed to secrecy threats
• Example: Cart32 shopping cart program backdoor
– Stolen corporate information (Eavesdropper example)
• Web users continually reveal information
– Secrecy breach
– Possible solution: anonymous Web surfing
E-Business, Europe, Middle East, Africa First Edition
Integrity Threats
• Also known as active wiretapping
– Unauthorized party alters message information
stream
• Integrity violation example
– Cybervandalism
• Electronic defacing of Web site
• Masquerading (spoofing)
– Pretending to be someone else
– Fake Web site representing itself as original
E-Business, Europe, Middle East, Africa First Edition
Integrity Threats (cont’d.)
• Domain name servers (DNSs)
– Internet computers maintaining directories
• Linking domain names to IP addresses
– Perpetrators use software security hole
• Substitute their Web site address in place of real one
• Spoofs Web site visitors
• Phishing expeditions
– Capture confidential customer information
– Common victims
• Online banking, payment system users
E-Business, Europe, Middle East, Africa First Edition
Necessity Threats
• Also known as delay, denial, denial-of-service
(DoS) attack
– Disrupt or deny normal computer processing
– Intolerably slow-speed computer processing
• Renders service unusable or unattractive
• Distributed denial-of-service (DDoS) attack
– Launch simultaneous attack on a Web site via
botnets
• DoS attacks
– Remove information altogether
– Delete transmission or file information
E-Business, Europe, Middle East, Africa First Edition
Necessity Threats (cont’d.)
• Denial attack examples:
– Quicken accounting program diverted money to
perpetrator’s bank account
– High-profile electronic commerce company received
flood of data packets
• Overwhelmed sites’ servers
• Choked off legitimate customers’ access
E-Business, Europe, Middle East, Africa First Edition
Threats to the Physical Security of
Internet Communications Channels
• Internet’s packet-based network design:
– Precludes it from being shut down
• By attack on single communications link
• Individual user’s Internet service can be interrupted
– Destruction of user’s Internet link
• Larger companies, organizations
– Use more than one link to main Internet backbone
E-Business, Europe, Middle East, Africa First Edition
Threats to Wireless Networks
• Wireless Encryption Protocol (WEP)
– Rule set for encrypting transmissions from the
wireless devices to the wireless access points (WAPs)
• Wardrivers
– Attackers drive around in cars
– Search for accessible networks
• Warchalking
– Place chalk mark on building
• Identifies easily entered wireless network nearby
– Web sites include wireless access locations maps
E-Business, Europe, Middle East, Africa First Edition
Threats to Wireless Networks (cont’d.)
• Preventing attacks by wardrivers
– Turn on WEP
– Change default login and password settings
• Example
– Best Buy wireless point-of-sale (POS)
• Failed to enable WEP
• Customer launched sniffer program
• Intercepted data from POS terminals
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions
• Encryption: coding information using
mathematically based program, secret key
• Cryptography: science studying encryption
– Science of creating messages only sender and
receiver can read
• Steganography
– Makes text undetectable to naked eye
• Cryptography converts text to other visible text
– With no apparent meaning
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Encryption algorithms
– Encryption program
• Transforms normal text (plain text) into cipher text
(unintelligible characters string)
– Encryption algorithm
• Logic behind encryption program
• Includes mathematics to do transformation
– Decryption program
• Encryption-reversing procedure: message is decoded
or decrypted
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Encryption algorithms (cont’d.)
– National Security Agency controls dissemination
– U.S. government banned publication of details
• Illegal for U.S. companies to export
– Encryption algorithm property
• May know algorithm details
• Unable to decipher encrypted message without
knowing key encrypting the message
– Key type subdivides encryption into three functions
• Hash coding, asymmetric encryption, symmetric
encryption
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Hash coding
– Process uses Hash algorithm
– Calculates number (hash value) from any length
message
– Unique message fingerprint
– Good hash algorithm design
• Probability of collision is extremely small (two
different messages resulting in same hash value)
– Determining message alteration during transit
• Mismatch between original hash value and receiver
computed value
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Asymmetric encryption (public-key encryption)
– Encodes messages using two mathematically related numeric
keys
Public key: one key freely distributed to public
• Encrypt messages using encryption algorithm
Private key: second key belongs to key owner
• Kept secret, decrypt all messages received
Pretty Good Privacy (PGP)
– Software tools using different encryption algorithms
• Perform public key encryption
– Individuals download free versions
• PGP Corporation site, PGP International site
• Encrypt e-mail messages
– Sells business site licenses
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Symmetric encryption (private-key encryption)
– Encodes message with one of several available algorithms
• Single numeric key to encode and decode data
– Message receiver must know the key
– Very fast and efficient encoding and decoding
– Key must be guarded
Problems: difficult to distribute new keys to authorized
parties while maintaining security, control over keys &
Private keys do not work well in large environments
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
Data Encryption Standard (DES)
• Encryption algorithms adopted by U.S. government
• Most widely used private-key encryption system
• Fast computers break messages encoded with
smaller keys
Data Encryption Standard (DES)
• Encryption algorithms adopted by U.S. government
• Most widely used private-key encryption system
• Fast computers break messages encoded with
smaller keys
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
– Triple Data Encryption Standard (Triple DES,
3DES)
• Stronger version of Data Encryption Standard
– Advanced Encryption Standard (AES)
• Alternative encryption standard
• Most government agencies use today
Longer bit lengths increase difficulty of cracking keys
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
• Comparing asymmetric and symmetric
encryption systems
Advantages of public-key (asymmetric) systems
• Small combination of keys required
• No problem in key distribution
• Implementation of digital signatures possible
Disadvantages of public-key systems
• Significantly slower than private-key systems
Public-key systems: complement rather than replace
private-key systems
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Comparison of
(a) hash coding, (b) private-key,
and (c) public-key encryption
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
Web servers accommodate encryption algorithms
Must communicate with variety of Web browsers
Secure Sockets Layer (SSL)
Goal: secures connections between two computers
Secure Hypertext Transfer Protocol (S-HTTP)
Goal: send individual messages securely
Secure sockets layer (SSL) protocol
– Provides security “handshake”
– Client and server exchange brief burst of messages
– All communication encoded - eavesdropper receives unintelligible
information
– Secures many different communication types (HTTP, FTP, Telnet)
– HTTPS: protocol implementing SSL
• Precede URL with protocol name HTTPS
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
– Encrypted transaction generates private session key
• Bit lengths vary (40-bit, 56-bit, 128-bit, 168-bit)
– Session key
• Used by encryption algorithm
• Creates cipher text from plain text during single
secure session
– Secrecy implemented using public-key and privatekey encryption
• Private-key encryption for nearly all communications
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Establishing an SSL session
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
After secure session established:
• Public-key encryption no longer used
• Message transmission protected by private-key encryption
• Session key (private key) discarded when session ends
Each new connection between client and secure server requires entire
process: Beginning with handshake
Secure HTTP (S-HTTP)
Extension to HTTP providing security features
• Client and server authentication, spontaneous encryption,
request/response nonrepudiation
– Symmetric encryption for secret communications
– Public-key encryption to establish client/server authentication
– Session negotiation: process between client and server of proposing and
accepting (or rejecting) various transmission conditions
E-Business, Europe, Middle East, Africa First Edition
Encryption Solutions (cont’d.)
•
– Establishing secure session
• SSL carries out client-server handshake exchange to set up secure
communication
• S-HTTP sets up security details with special packet headers exchanged in
S-HTTP
– Headers define security technique type
– Header exchanges state:
• Which specific algorithms that each side supports
• Whether client or server (or both) supports algorithm
• Whether security technique required, optional, refused
– Secure envelope (complete package)
• Encapsulates message
• Provides secrecy, integrity, and client/server authentication
SSL has become more generally accepted standard over S-HTTP
E-Business, Europe, Middle East, Africa First Edition
Using a Hash Function to Create a
Message Digest
• Integrity violation
– Message altered while in transit
• Difficult and expensive to prevent
• Security techniques to detect
• Harm: unauthorized message changes undetected
• Apply two algorithms to eliminate fraud and abuse
– Hash algorithm
– Message digest
• Number summarizing encrypted information
E-Business, Europe, Middle East, Africa First Edition
Converting a Message Digest into a
Digital Signature
• Hash functions: potential for fraud
– Solution: sender encrypts message digest using private key
• Digital signature
– Encrypted message digest (message hash value)
• Digital signature provides:
– Integrity, nonrepudiation, and authentication
• Provide transaction secrecy
– Encrypt entire string (digital signature, message)
• Digital signatures: same legal status as traditional
signatures
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Sending and receiving a digitally signed message
E-Business, Europe, Middle East, Africa First Edition
Security for Server Computers
• Server vulnerabilities
– Exploited by anyone determined to cause
destruction or acquire information illegally
• Entry points
– Web server and its software
– Any back-end programs containing data
• No system is completely safe
• Web server administrator
– Ensures security policies documented; considered in
every electronic commerce operation
E-Business, Europe, Middle East, Africa First Edition
Web Server Threats
• Compromise of secrecy
– By allowing automatic directory listings
– Solution: turn off folder name display feature
• Sensitive file on Web server
– Holds Web server username-password pairs
– Solution: store authentication information in
encrypted form
E-Business, Europe, Middle East, Africa First Edition
Web Server Threats (cont’d.)
• Passwords that users select
– Easily guessable
• Dictionary attack programs cycle through electronic
dictionary, trying every word as password
– Solutions
• User password requirements
• Use password assignment software to check user
password against dictionary
• Help creating very strong passwords:
– Gibson Research Corporation’s Ultra High Security
Password Generator
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Examples of passwords, from very weak to very strong
E-Business, Europe, Middle East, Africa First Edition
Database Threats
• Usernames and passwords
– Stored in unencrypted table
– Database fails to enforce security altogether
• Relies on Web server to enforce security
• Unauthorized users
– Masquerade as legitimate database users
• Trojan horse programs hide within database
system
– Reveal information
– Remove all access controls within database
E-Business, Europe, Middle East, Africa First Edition
Other Programming Threats
• Java or C++ programs executed by server
– Passed to Web servers by client
– Reside on server
– Use a buffer
• Memory area set aside holding data read from file or
database
– Buffer overrun (buffer overflow) error
• Programs filling buffers malfunction and overfill buffer
• Excess data spilled outside designated buffer memory
• Cause: error in program or intentional
• 1998 Internet worm
E-Business, Europe, Middle East, Africa First Edition
Other Programming Threats (cont’d.)
• Insidious version of buffer overflow attack
– Writes instructions into critical memory locations
– Web server resumes execution by loading internal
registers with address of attacking program’s code
• Reducing potential buffer overflow damage
– Good programming practices
– Some hardware functionality
• Mail bomb attack
– Hundreds (thousands) send message to particular
address
E-Business, Europe, Middle East, Africa First Edition
Threats to the Physical Security of
Web Servers
• Protecting Web servers
– Put computers in commerce service provider (CSP)
facility
• Very high-level physical security on CSP
– Maintain server content’s backup copies at remote
location
– Rely on service providers
• Offer managed services including Web server security
– Hire smaller, specialized security service providers
E-Business, Europe, Middle East, Africa First Edition
Access Control and Authentication
• Controlling who and what has access to Web server
• Authentication
– Identity verification of entity requesting computer access
• Server user authentication
– Server must successfully decrypt user’s digital signaturecontained certificate
– Server checks certificate timestamp
– Server uses callback system
• Certificates authenticate client computers and their users
E-Business, Europe, Middle East, Africa First Edition
Access Control and Authentication
(cont’d.)
• Usernames and passwords
– Provide some protection element
• Maintain usernames in plain text
– Encrypt passwords with one-way encryption algorithm
• Problem
– Site visitor may save username and password as a cookie
• Might be stored in plain text
• Access control list (ACL)
– Restrict file access to selected users
E-Business, Europe, Middle East, Africa First Edition
Firewalls
• Firewall
– Software, hardware-software combination
– Installed in a network to control packet traffic
• Placed at Internet entry point of network
– Defense between network and the Internet
• Between network and any other network
• Principles
– All traffic must pass through it
– Only authorized traffic allowed to pass
– Immune to penetration
E-Business, Europe, Middle East, Africa First Edition
Firewalls (cont’d.)
• Trusted: networks inside firewall
• Untrusted: networks outside firewall
• Filter permits selected messages though network
• Separate corporate networks from one another
– Coarse need-to-know filter
• Firewalls segment corporate network into secure
zones
• Large organizations with multiple sites
– Install firewall at each location
• All locations follow same security policy
E-Business, Europe, Middle East, Africa First Edition
Firewalls (cont’d.)
• Should be stripped of unnecessary software
• Packet-filter firewalls
– Examine all data flowing back and forth between
trusted network (within firewall) and the Internet
• Gateway servers
– Filter traffic based on requested application
– Limit access to specific applications
• Telnet, FTP, HTTP
• Proxy server firewalls
– Communicate with the Internet on private network’s
behalf
E-Business, Europe, Middle East, Africa First Edition
Firewalls (cont’d.)
• Perimeter expansion problem
– Computers outside traditional physical site boundary
• Servers under almost constant attack
– Install intrusion detection systems
• Monitor server login attempts
• Analyze for patterns indicating cracker attack
• Block further attempts originating from same IP
address
• Cloud computing: firewall products lagging behind
• Personal firewalls
– Software-only firewalls on individual client computers
– Gibson Research Shields Up! Web site
E-Business, Europe, Middle East, Africa First Edition
Organizations that Promote Computer
Security
• Following the Internet Worm of 1988
– Organizations formed to share information
• About threats to computer systems
• Principle followed
– Sharing information about attacks and defenses for
attacks
• Helps everyone create better computer security
E-Business, Europe, Middle East, Africa First Edition
90
CERT
• Computer Emergency Response Team
• Housed at Carnegie Mellon University
– Software Engineering Institute
• Maintains effective, quick communications
infrastructure among security experts
– Security incidents avoided, handled quickly
• Provides security risk information
• Posts security event alerts
• Primary authoritative source for viruses, worms,
and other types of attack information
E-Business, Europe, Middle East, Africa First Edition
Other Organizations
• 1989: System Administrator, Audit, Network and Security (SANS)
Institute
– Education & research efforts: research reports, security alerts & white papers
– SANS Internet Storm Center Web site - current information on location,
intensity of computer attacks worldwide
• CERIAS (Center for Education & Research in Information
Assurance & Security) - Multidisciplinary information security research and
education
• Center for Internet Security
– Not-for-profit cooperative organization
– Helps electronic commerce companies
• CSO Online
– Articles from CSO Magazine
– Computer security-related news items
• Infosecurity.com
– Articles about all types of online security issues
E-Business, Europe, Middle East, Africa First Edition
Computer Forensics and Ethical Hacking
• Computer forensics experts (ethical hackers)
– Computer sleuths hired to probe PCs
– Locate information usable in legal proceedings
– Job of breaking into client computers
• Computer forensics field
– Responsible for collection, preservation, and
computer-related evidence analysis
• Companies hire ethical hackers to test computer
security safeguards
E-Business, Europe, Middle East, Africa First Edition
Summary of Online Security
• Physical and logical computer security important in electronic
commerce Security policy can identify risks and countermeasures to
reduce risks
• Key security provisions - Secrecy, integrity, available service
• Client threats and solutions - Virus threats, active content threats,
cookies
• Communication channels’ threats and solutions
– Encryption provides secrecy
• Web Server threats and solutions
– Threats from programs, backdoors
• Security organizations
– Share information about threats, defenses
• Computer forensics
– “Break into” computers searching for legal use data
– Assist in identifying security weaknesses
E-Business, Europe, Middle East, Africa First Edition
E-Payment Systems
Online Payment Basics
• Online payments
– Important electronic commerce site function
– Several online payment options available
• Vary in size and processing method
• Micropayments
Internet payments for items costing few cents to a euro
• Micropayments barriers
– Not yet implemented very well on the Web
– Human psychology
• People prefer to buy small value items in fixed price chunks
• Example: mobile phone fixed monthly payment plans
E-Business, Europe, Middle East, Africa First Edition
Micropayments and Small Payments
(cont’d.)
• Companies which have developed micropayment systems:
 Millicent, DigiCash, Yaga, BitPass – ALL FAILED
 No company gained broad acceptance of its system
 No company devoted solely to offering micropayment services
• Small payments
– All payments of less than €10
– Being offered through mobile telephone carrier
• Buyers make purchases using their mobile phones
• Charges appear on monthly mobile phone bill
• Bright future held back by mobile carriers’ substantial charges
E-Business, Europe, Middle East, Africa First Edition
Online Payment Methods
• Four ways to purchase items (traditional and electronic)
1. Cash 2. Cheques 3. Credit cards 4. Debit cards
• Electronic transfer: small but growing segment
– Popular example: automated payments
• Credit and debit cards
– Worldwide: 85% of online payments
– Remainder of payments primarily PayPal
E-Business, Europe, Middle East, Africa First Edition
Forms of payment for U.S. online transactions, estimates for 2015
Source: Adapted from forecasts by Javelin Strategy & Research and Internet Retailer.
E-Business, Europe, Middle East, Africa First Edition
Online Payment Methods (cont’d.)
• Online payment systems
– Still evolving, competition for dominance
– Cheaper than mailing paper checks
– Convenient for customers & save companies money
• Costs per bill
– Billing by mail: between €1.00 and €1.50
– Internet billing and payment costs: 50 cents
• Significant environmental impact
E-Business, Europe, Middle East, Africa First Edition
Online Payment Methods (cont’d.)
Online business payment requirements:
– Safe, convenient, and widely accepted
– determine which choices best for company and customers
Each payment technology:
• Unique properties, costs, advantages, and disadvantages
• Online business payment requirements
– Safe, convenient, and widely accepted
• Determine which choices best for company and customers
• Each payment technology:
– Unique properties, costs, advantages, and disadvantages
E-Business, Europe, Middle East, Africa First Edition
100
Payment Cards
• Payment card
– Describes all types of plastic cards used to make purchases
– Categories: credit cards, debit cards, charge cards, prepaid
cards, and gift cards
• Credit card (Visa, MasterCard)
– Spending limit based on user’s credit history
– Pay off entire credit card balance
• May pay minimum amount
– Card issuers charge unpaid balance interest
– Widely accepted
– Consumer protection: 30-day dispute period
E-Business, Europe, Middle East, Africa First Edition
Payment Cards (cont’d.)
• Credit Cards (cont.)
– Card not present transactions
• Cardholder not present during transaction
• Extra degree of risk for merchant and bank
• Debit card (electronic funds transfer at point of
sale (EFTPOS) cards)
– Removes sales amount from cardholder’s bank account
– Transfers sales amount to seller’s bank account
– Issued by cardholder’s bank
• Carries major credit card issuer name
E-Business, Europe, Middle East, Africa First Edition
Payment Cards (cont’d.)
• Charge card (e.g., American Express)
– No spending limit
– Entire amount due at end of billing period
– No line of credit or interest charges
– Examples: department store, oil company cards
• Retailers may offer their own charge cards
– Store charge cards or store-branded cards
E-Business, Europe, Middle East, Africa First Edition
Payment Cards (cont’d.)
• Prepaid cards
– Cards that can be redeemed by anyone for future purchase
– Gift cards: prepaid cards sold to be given as gift
• Single-use cards
– Cards with disposable numbers
• Addresses concern of giving online vendors payment card
numbers, valid for one transaction only
• Designed to prevent unscrupulous vendor fraud
– Withdrawn from market due to lack of consumer use
E-Business, Europe, Middle East, Africa First Edition
Advantages and Disadvantages of
Payment Cards
•
Greatest advantages
– Worldwide acceptance & simplicity of usage
• Currency conversion handled by card issuer
• Entities involved in payment card processes: Merchant, merchant’s bank,
customer, customer’s bank, and payment card issuer (company)
– Fraud protection for merchants & build in security
• Can authenticate and authorize purchases using a payment card processing
network
• Interchange network: set of connections between credit card issuing banks,
associations owning credit cards, and merchants’ banks
•
Disadvantage for merchants
– Per-transaction fees for merchants & monthly processing fees, viewed as cost of
doing business.
– Goods and services prices: slightly higher, compared to environment free of
payment cards
•
Disadvantage for consumers
– Annual fee
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
• Internet payment card process made easier due to standards
• Online stores, mail order stores often must ship merchandise
within e.g. 30 days of charging payment
• Significant violation penalties
• Charge account when shipped
• Processing payment card transaction online
– Payment acceptance
• Establish card validity
• Verify card’s limit not exceeded by transaction
– Clearing the transaction
• All steps to move funds from card holder’s bank account into
merchant’s bank account
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
(cont’d.)
• Open and closed loop systems
– Closed loop systems
• Card issuer pays merchant directly
• Does not use intermediary
• American Express, Discover Card
– Open loop systems (three or more parties)
• Additional payment processing intermediaries
• Visa, MasterCard: not issued directly to consumers
• Credit card associations: operated by association member
banks
• Customer issuing banks (issuing banks): banks issuing cards
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Closed loop payment card system
E-Business, Europe, Middle East, Africa First Edition
© Cengage Learning 2013
Open loop payment card system
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
(cont’d.)
• Merchant accounts
– Acquiring bank:
• Does business with Internet and non-Internet sellers
• Wants to accept payment cards
– Merchant account required by online merchant to
process Internet transactions payment cards
– Obtaining account
• Merchant provides business information
• Bank assesses business type risk
• Bank assesses percentage of sales likely to be
contested
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
(cont’d.)
– Chargeback process
• Cardholder successfully contests charge
• Merchant bank must retrieve money from merchant
account
• Merchant may have to keep funds on deposit
– Additional fees
• Acquirer fees: charges for providing payment card
processing service
• Interchange fees: set by the card association,
charged to acquiring bank, passed along to merchant
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
Problems facing online businesses: Fraud
• Under 15 percent of all credit card transactions completed online
• Responsible for 64 percent of total euro amount of credit card fraud
• Online transaction fraud increased steadily through 2008
• Slight decline since 2008
Merchants’ use of antifraud measures
• Scoring services providing risk ratings for individual transactions in
real time
• Shipping only to card billing address
• Requiring card verification numbers (CVNs) for card not present
transactions
CVN
• Three- or four-digit number printed on the credit card
• Not encoded in the card’s magnetic strip
E-Business, Europe, Middle East, Africa First Edition
112
Payment Acceptance and Processing
Processing payment card transactions
– Most online merchants have internal systems:
• Handling closed loop and open loop system cards
– Some accept direct deductions from customer’s
checking account
• Automated Clearing House (ACH): network of banks
involved in direct deduction transactions
– Business size considerations
• Large: entire department to build/maintain systems
• Mid-size: purchased software with skilled staff to
manage system
• Small: rely on service provider
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
Payment processing service providers (payment
processors)
• Companies offering payment card processing
Front-end processor (payment gateway):
• Obtains transaction authorization
• Stores approval or denial record
Back-end processor: takes front-end processor
transactions and coordinates information flows
• Handles chargebacks, other reconciliation items
through the interchange network and acquiring and
issuing banks, including ACH transfers
E-Business, Europe, Middle East, Africa First Edition
Payment Acceptance and Processing
Payment processors:
• IPPay, Authorize.Net, Global Payments, and FirstData
Specialized payment processing services:
• Digital River’s*shareit!
Third party payment processor may be evident or
transparent to customer
• Well-recognized name provides customers with sense
of security
E-Business, Europe, Middle East, Africa First Edition
Electronic Cash
• Electronic cash (e-cash, digital cash)
– Describes any value storage and exchange system
created by private (nongovernmental) entity
• Does not use paper documents or coins
• Can serve as substitute for government-issued
physical currency
• Potential market
– Purchases below €10
– Majority of world’s population who do not have credit
cards
E-Business, Europe, Middle East, Africa First Edition
Privacy and Security of Electronic Cash
• Electronic payment method concerns
– Privacy and security, independence, portability,
convenience
– Privacy and security: most important to consumers
• Vulnerable transactions
• Electronic currency: copied, reused, forged
• Important characteristics of electronic cash
– Ability to spend only once
– Anonymous use
• Anonymous electronic cash: can’t be traced to person
who spent it
– Convenience
E-Business, Europe, Middle East, Africa First Edition
Holding Electronic Cash:
Online and Offline Cash
• Online cash storage
– Consumer has no personal possession of electronic
cash
• Trusted third party (online bank) involved in all
transfers, holds consumers’ cash accounts
• Online system payment
– Merchants contact consumer’s bank
• Helps prevent fraud (confirm valid cash)
• Resembles process of checking with consumer’s bank
to ensure valid credit card and matching name
E-Business, Europe, Middle East, Africa First Edition
Holding Electronic Cash: Online and
Offline Cash (cont’d.)
• Offline cash storage
– Virtual equivalent of money kept in wallet
– Customer holds it
• No third party involved in transaction
– Protection against fraud concern
• Hardware or software safeguards needed
– Double-spending
• Spending electronic cash twice
• Submit same electronic currency to two different
vendors
• Not enough time to prevent fraudulent act
E-Business, Europe, Middle East, Africa First Edition
Holding Electronic Cash: Online and
Offline Cash (cont’d.)
• Main deterrent to double-spending
– Threat of detection and prosecution
• System must provide tamperproof electronic cash
traceable back to origins
– Two-part lock
• Provides anonymous security
• Signals an attempt to double-spend cash that is
traceable
• Electronic cash used correctly:
– Preserves user’s anonymity
E-Business, Europe, Middle East, Africa First Edition
120
© Cengage Learning 2013
Detecting double spending of electronic cash
E-Business, Europe, Middle East, Africa First Edition
Advantages and Disadvantages
of Electronic Cash
• Traditional brick-and-mortar billing methods
– Costly and inefficient
• Online stores have the same payment collection
inefficiencies
• Most online customers use credit cards to pay for
purchases
• Electronic cash system
– Less popular than other payment methods
– Provides unique advantages and disadvantages
E-Business, Europe, Middle East, Africa First Edition
Advantages and Disadvantages of
Electronic Cash (cont’d.)
• Advantages of electronic cash transactions
– More efficient (less costly)
• Efficiency fosters more business (lower prices)
– Occurs on existing infrastructure (Internet)
– Does not require one party to obtain authorization:
• As required with credit card transactions
• Disadvantages of electronic cash transactions
– No audit trail
– Money laundering
• Technique criminals use to convert money illegally obtained into
spendable cash
• Purchase goods, services with ill-gotten electronic cash
• Goods sold for physical cash on open market
E-Business, Europe, Middle East, Africa First Edition
Advantages and Disadvantages of
Electronic Cash (cont’d.)
• Electronic cash
– More successful in Europe and Asia
• Consumers prefer to use cash (does not work well for
online transactions)
• Electronic cash fills important need
– Not successful in United States
• Consumers have credit cards, debit cards, charge cards,
checking accounts
• KDD Communications (KCOM)
– Internet subsidiary: Japan’s largest phone company
– Offers electronic cash through NetCoin Center
E-Business, Europe, Middle East, Africa First Edition
Advantages and Disadvantages of
Electronic Cash (cont’d.)
• Reasons for failure of United States electronic cash
systems
– Electronic cash systems implementation
• Requires software installed into consumers’ Web browsers
– Number of competing technologies
• No standards developed
• Array of proprietary electronic cash alternatives that are not
interoperable
• Interoperable software:
– Runs transparently on variety of hardware configurations and
different software systems
E-Business, Europe, Middle East, Africa First Edition
Digital Wallets
Consumer concerns when shopping online
– Entering detailed shipping and payment information for each
online purchase & filling out forms
– Solution: allows customer to store name, address, credit card
information on the site
– Problem: Consumers must enter information at each site
Digital wallet (electronic wallet or e-wallet)
– Holds credit card numbers, electronic cash, owner identification,
owner contact information
– Provides information at electronic commerce site checkout
counter
– Benefit: consumer enters information once
• More efficient shopping
E-Business, Europe, Middle East, Africa First Edition
Digital Wallets (cont’d.)
– Digital wallet technology elements
• System: infrastructure for identification
• Application: software for user interaction
• Device: applicable if a specific device is used
• Server-side digital wallet
– Stores customer’s information on remote server of merchant or
wallet publisher & no download time or installation on user’s
computer
– Main weakness: Security breach can reveal thousands of users’
personal information to unauthorized parties
• Client-side digital wallet
– Stores information on consumer’s computer
– Disadvantages: not portable, must download wallet software onto every
computer
– Advantage: sensitive information stored on user’s computer
E-Business, Europe, Middle East, Africa First Edition
Software-Only Digital Wallets (cont’d.)
• Server-side digital wallet examples:
– Microsoft Windows Live ID
• Single sign-in (SSI) service
• Completes order forms automatically
• Personal data encrypted and password protected
• Integrated services: SSI, Wallet service, Kids service,
public profiles
– Yahoo! Wallet
• Software-based digital wallet
• Automatically fills online forms
• Accepted by large number of merchants
E-Business, Europe, Middle East, Africa First Edition
Hardware-Based Digital Wallets
• Implemented using smart phones
– Store owner’s identity credentials (driver’s license, medical
insurance card, store loyalty cards, etc.)
– Transmit portions of identify information using:
• Bluetooth or wireless transmission to nearby terminal
• Near field communication (NFC) technology: contactless
wireless transmission of data over short distances
• Status:
– Popular in Japan: mobile phones with NFC chips
• Oisaifu-Keitai (“mobile wallet”)
– U.S. examples:
• Google Wallet (uses PayPass technology)
• V.me (Visa digital wallet)
• PayPal digital wallet (release anticipated)
E-Business, Europe, Middle East, Africa First Edition
Stored-Value Cards
• Microchip smart card or magnetic strip plastic card
• Examples: credit cards, debit cards, charge cards,
driver’s license, health insurance card, and employee or
student identification card
Magnetic Strip Cards
• Holds rechargeable value
• Passive magnetic strip cards cannot:
– Send or receive information
– Increment or decrement cash value stored
• Processing done on device into which card inserted
E-Business, Europe, Middle East, Africa First Edition
Smart Cards
• Smart card (stored-value card):
– Plastic card with embedded microchip
• Credit, debit, charge cards store limited information
on magnetic strip
• Information storage
– About 100 times more than magnetic strip plastic
card
• Holds private user data
– Financial facts, encryption keys, account
information, credit card numbers, health insurance
information, medical records
E-Business, Europe, Middle East, Africa First Edition
Smart Cards (cont’d.)
• Safer than conventional credit cards
– Information encrypted on smart card
• Popular in Europe, parts of Asia
– Public telephone calls, cable television programs
– Hong Kong
• Retail counters, restaurant cash registers have smart
card readers
• Octopus: public transportation smart card can be
reloaded at transportation locations, 7-Eleven stores
E-Business, Europe, Middle East, Africa First Edition
Smart Cards (cont’d.)
• Beginning to appear in United States
– San Francisco TransLink integrated ticketing system
for public transportation
• Smart Card Alliance
– Advances smart card benefits
– Promotes widespread acceptance of
multiple-application smart card technology
– Promotes compatibility among smart cards, card
reader devices, applications
E-Business, Europe, Middle East, Africa First Edition
Internet Technologies and the Banking
Industry
• Paper cheques
– Largest dollar volume of payments
– Processed through world’s banking system
• Other major payment forms
– Involve banks one way or another
• Banking industry Internet technologies
– Providing new tools
– Creating new threats
E-Business, Europe, Middle East, Africa First Edition
Cheque Processing
• Old method of physical cheque processing
– Person wrote check; retailer deposited cheque in bank
account
– Retailer’s bank sent paper cheque to clearinghouse
• Clearinghouse managed fund transfer (consumer’s bank
to retailer’s account)
– Paper cheque transported to consumer’s bank
– Cancelled cheque sent to consumer
• Banks now provide PDF images of processed cheque
E-Business, Europe, Middle East, Africa First Edition
Cheque Processing (cont’d.)
• Disadvantage of paper cheques
– Cost of transporting tons of paper
– Float
• Delay between the time person writes cheque and the time
cheque clears person’s bank
• Bank’s customer obtains free use of funds for few days
• Bank loses use of funds for same time period
• Can become significantly longer than a few days
E-Business, Europe, Middle East, Africa First Edition
Cheque Processing (cont’d.)
• Technologies helping banks reduce float
• Banks to eliminate movement of physical cheques
entirely
• Check 21-compliant world
– Retailer scans customer's cheque
– Scanned image transmitted instantly
• Through clearing system
– Posts almost immediately to both accounts
• Eliminates transaction float
E-Business, Europe, Middle East, Africa First Edition
Mobile Banking
• Banks exploring mobile commerce potential
• 2009: banks launched sites allowing customers
using smart phones to:
– Obtain bank balance, view account statement, and
find a nearby ATM
• Future plans
– Offering smart phone apps
• Use to transact all types of banking business
• Credit card reader attachment available for some
smart phones yielding a portable payment
processing terminal
E-Business, Europe, Middle East, Africa First Edition
138
Criminal Activity and Payment
Systems: Phishing and Identity Theft
• Online payment systems
– Offer criminals and criminal enterprises an attractive
arena in which to operate
• Average consumers: easy prey
• Large amounts of money provide tempting targets
– Phishing expedition
• Technique for committing fraud against online
businesses customers
• Particular concern to financial institutions
E-Business, Europe, Middle East, Africa First Edition
139
Phishing Attacks
• Basic structure
– Attacker sends e-mail message:
• To accounts with potential for an account at targeted Web site
– E-mail message tells recipient: account compromised
• Recipient must log on to account to correct problem
– E-mail message includes link
• Appears to be Web site login page
• Actually leads to perpetrator’s Web site disguised to look like the
targeted Web site
– Recipient enters login name, password
• Perpetrator captures
• Uses to access recipient’s account
• Perpetrator accesses personal information, makes purchases,
withdraws funds
E-Business, Europe, Middle East, Africa First Edition
Phishing e-mail message
E-Business, Europe, Middle East, Africa First Edition
Phishing e-mail message (cont’d.)
E-Business, Europe, Middle East, Africa First Edition
Phishing Attacks (cont’d.)
• Spear phishing
– Carefully designed phishing expedition targeting a
particular person or organization
– Requires considerable research
– Increases chance of e-mail being opened
– Example: 2008 government stimulus checks
• Phishing e-mails appeared within one week of
passage
E-Business, Europe, Middle East, Africa First Edition
Phishing Attacks (cont’d.)
• E-mail link disguises and tricks
– Example: Web server ignores all characters preceding “@”:
– https://www.paypal.com@218.36.41.188/fl/login.html
• Link appears different in e-mail
• Phony site invisible due to JavaScript code
– Pop-up windows
• Look exactly like browser address bar
– Including Web site graphics of financial institutions
• Looks more convincing
• Web sites to learn more about phishing techniques:
– Conferences on Email and Anti-Spam
– Anti-Phishing Working Group (APWG)
E-Business, Europe, Middle East, Africa First Edition
Phishing e-mail with graphics
E-Business, Europe, Middle East, Africa First Edition
Phishing e-mail with graphics (cont’d.)
E-Business, Europe, Middle East, Africa First Edition
Using Phishing Attacks for Identity
Theft
• Organized crime (racketeering)
– Unlawful activities conducted by highly organized,
disciplined association for profit
– Differentiated from less-organized groups
– Internet providing new criminal activity opportunities
• Generates spam, phishing, identity theft
• Identity theft
– Criminal act: perpetrator gathers victim’s personal
information
– Uses information to obtain credit
– Perpetrator runs up account charges and disappears
E-Business, Europe, Middle East, Africa First Edition
Types of personal information most useful to identity thieves
E-Business, Europe, Middle East, Africa First Edition
Using Phishing Attacks for Identity
Theft (cont’d.)
• Large criminal organizations
– Efficient perpetrators of identity theft
• Exploit large amounts of personal information quickly
and efficiently
– Sell or trade information that is not of immediate use
• Other worldwide organized crime entities
– Zombie farm
• Large number of computers implanted with zombie
programs
– Pharming attack
• Use of a zombie farm, often by an organized crime
association, to launch a massive phishing attack
E-Business, Europe, Middle East, Africa First Edition
Using Phishing Attacks for Identity
Theft (cont’d.)
• Two elements in phishing
– Collectors: collect information
– Cashers: use information
– Require different skills
• Crime organizations facilitate transactions between
collectors and cashers
– Increases phishing activity efficiency and volume
• Each year:
– More than a million people fall victim
– Financial losses exceed €500 million
E-Business, Europe, Middle East, Africa First Edition
Phishing Attack Countermeasures
• Change protocol
– Improve e-mail recipients’ ability to identify message
source
• Reduce phishing attack threat
• Educate Web site users
• Contract with consulting firms specializing in
anti-phishing work
• Monitor online chat rooms used by criminals
E-Business, Europe, Middle East, Africa First Edition
Summary of Online Payment Basics
• Online stores: payment forms
– Credit, debit, charge cards (payment cards)
• Ubiquitous, convenient, and easy to use
– Electronic cash: portable and anonymous online payment form
• Useful for micropayments
– Digital wallets provide convenience
– Stored-value cards
• Smart cards, magnetic strip cards
• Banks process most monetary transactions
– Use Internet technologies to process checks
• Concerns: phishing expeditions, identity theft
E-Business, Europe, Middle East, Africa First Edition