E-Commerce Chapter 5

Chapter 5
E-commerce Security and Payment System
Course name: E-
commerce
Chapter 5
E-commerce Security
and Payment Systems
Instructor: Nguyen The Dai Nghia

Email: nghiantd@uel.edu.vn
Phone/Zalo: 0936385487
Chapter 5
The Rise of the Global Cyberattack

• Class Discussion
• Have you or anyone you know been the subject of a cybercrime? If so,
what happened?
• Do you think an agreement among countries akin to the Geneva
Convention will be an effective deterrent for cybercrime? Why or why
not?
• What steps have you taken to protect yourself online?
Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Chapter 5
The E-commerce Security Environment

• Scope of the problem
• Overall size of and losses due to cybercrime unclear
• McAfee/Center for Strategic and International Studies study: Global
economic impact of cybercrime and cyberespionage between $455
billion to $600 billion
• Reports by security product providers indicate increasing cybercrime
• Online credit card fraud one of the most high-profile forms
• Underground economy marketplaces sell stolen information, malware and
more

Chapter 5
What is Good E-commerce Security?

• To achieve highest degree of security
• New technologies
• Organizational policies and procedures
• Industry standards and government laws
• Other factors
• Time value of money
• Cost of security v s potential loss
ersu
• Security often breaks at weakest link

Chapter 5
Figure 5.1 The E-commerce Security Environment

Chapter 5
Table 5.3 Customer and Merchant Perspectives on the Different
Dimensions of E-commerce Security
Dimension Customer’s Perspective Merchant’s Perspective
Integrity Has information I transmitted or Has data on the site been altered
received been altered? without authorization? Is data being
received from customers valid?
Nonrepudiation Can a party to an action with me Can a customer deny ordering products?
later deny taking the action?
Authenticity Who am I dealing with? How can I What is the real identity of the customer?
be assured that the person or
entity is who they claim to be?
Confidentiality Can someone other than the Are messages or confidential data
intended recipient read my accessible to anyone other than those
messages? authorized to view them?
Privacy Can I control the use of What use, if any, can be made of
information about myself personal data collected as part of an e-
transmitted to an commerce transaction? Is the personal
e-commerce merchant? information of customers being used in
an unauthorized manner?
Availability Can I get access to the site? Is the site operational?

Chapter 5
The Tension between Security and Other Values

• Ease of use
• The more security measures added, the more difficult
a site is to use, and the slower it becomes
• Public safety and criminal uses of the Internet
• Use of technology by criminals to plan crimes or
threaten nation-state

Chapter 5
Security Threats in the E-commerce Environment

• Three key points of vulnerability in e-commerce environment:
• Client
• Server
• Communications pipeline (Internet communications channels)

Chapter 5
Figure 5.2 A Typical E-commerce Transaction

Chapter 5
Figure 5.3 Vulnerable Points in an

E-commerce Transaction

Chapter 5
Malicious Code
• Exploits and exploit kits
• Maladvertising
• Drive-by downloads
• Viruses
• Worms
• Ransomware
• Trojan horses
• Backdoors
• Bots, botnets

Chapter 5
Potentially Unwanted Programs

• Browser parasites
• Monitor and change user’s browser
• Adware
• Used to call pop-up ads
• Spyware
• Tracks users keystrokes, e-mails, IMs, etc.

Chapter 5
Phishing
• Any deceptive, online attempt by a third party to obtain confidential
information for financial gain
• Tactics
• Social engineering
• E-mail scams and Business Email Compromise (BEC) phishing
• Spear phishing
• Used for identity fraud and theft

Chapter 5
Example of “Nigerian letter” scam

Chapter 5
Hacking, Cybervandalism, and Hacktivism

• Hacking
• Hackers v s crackers
ersu
• White hats, black hats, grey hats

• Tiger teams
• Goals: cybervandalism, data breaches
• Cybervandalism:
• Disrupting, defacing, destroying Web site
• Hacktivism

Chapter 5
Data Breaches
• Organization loses control over corporate information to outsiders
• Over 1,575 breaches in 2017, 45% increase over 2016
• Yahoo and Equifax two of the most notorious; Facebook breach in 2018
exposed personal information of 30 million
• Leading causes
• Hacking
• Unauthorized access
• Employee error/negligence

Chapter 5
Insight on Society: Equifax: ReallyE-commerce

Big Data Security and Payment System
Hacked
• What organizational and technological failures led to the data breach
at Equifax?
• What technical solutions are available to combat data breaches?
• Have you or anyone you know experienced a data breach?

Chapter 5
Credit Card Fraud/Theft

• Stolen credit card incidences about 0.9% on the Web and about 0.8% of
mobile transactions
• Hacking and looting of corporate servers is primary cause
• Central security issue: establishing customer identity
• E-signatures
• Multi-factor authentication
• Fingerprint identification

Chapter 5
Identity Fraud/Theft
• Unauthorized use of another person’s personal data for illegal financial
benefit
• Social security number
• Driver’s license
• Credit card numbers
• Usernames/passwords
• 2017: Almost 17 million U.S. consumers suffered identity fraud

Chapter 5
Spoofing, Pharming, and Spam (Junk) Websites

• Spoofing
• Attempting to hide true identity by using someone
else’s e-mail or IP address
• Pharming
• Automatically redirecting a URL to a different
address, to benefit the hacker
• Spam (junk) websites
• Offer collection of advertisements for other sites,
which may contain malicious code

Chapter 5
Sniffing and Man-In-The-Middle Attacks

• Sniffer
• Eavesdropping program monitoring networks
• Can identify network trouble spots
• Can be used by criminals to steal proprietary
information
• E-mail wiretaps
• Recording e-mails at the mail server level
• Man-in-the-middle attack
• Attacker intercepts and changes communication
between two parties who believe they are
communicating directly

Chapter 5
Denial of Service (DoS) and Distributed Denial of

Service (DDoS) Attacks
• Denial of service (DoS) attack
• Flooding website with pings and page request
• Overwhelm and can shut down site’s web servers
• Often accompanied by blackmail attempts
• Botnets
• Distributed Denial of Service (DDoS) attack
• Uses hundreds or thousands of computers to attack target network
• Can use devices from Internet of Things, mobile devices
• DDoS smokescreening

Chapter 5
Insider Attacks
• Largest threat to business institutions come from insider embezzlement
• Employee access to privileged information
• Poor security procedures
• Insiders more likely to be source of cyberattacks than outsiders

Chapter 5
Poorly Designed Software

• Increase in complexity of and demand for software has led to increase in
flaws and vulnerabilities
• SQL injection attacks
• Zero-day vulnerability
• Heartbleed bug; Shellshock (BashBug); FREAK

Chapter 5
Social Network Security Issues

• Social networks an environment for:
• Viruses, site takeovers, identity fraud, malware-loaded apps, click
hijacking, phishing, spam
• Manual sharing scams
• Sharing of files that link to malicious sites
• Fake offerings, fake Like buttons, and fake apps

Chapter 5
Mobile Platform Security Issues

• Little public awareness of mobile device vulnerabilities
• 2017: Over 26,500 different mobile malware variants identified by
Symantec
• Vishing
• Smishing
• SMS spoofing
• Madware

Chapter 5
Insight on Technology: Think YourE-commerce

Smartphone is
Security and Payment System
Secure?
• What types of threats do smartphones face?
• Are there any vulnerabilities specific to mobile
devices?
• What qualities of apps make them a vulnerable
security point in smartphone use?
• Are apps more or less likely to be subject to threats
than traditional PC software programs?

Chapter 5
Cloud Security Issues

• DDoS attacks
• Infrastructure scanning (find vulnerability)
• Lower-tech phishing attacks yield passwords and access
• Use of cloud storage to connect linked accounts
• Lack of encryption and strong security procedures

Chapter 5
Internet of Things Security Issues

• Challenging environment to protect
• Vast quantity of interconnected links
• Near identical devices with long service lives
• Many devices have no upgrade features
• Little visibility into workings, data, or security

Chapter 5
Technology Solutions
• Protecting Internet communications
• Encryption
• Securing channels of communication
• SSL, TLS, VPNs, Wi-Fi
• Protecting networks
• Firewalls, proxy servers, IDS, IPS
• Protecting servers and clients
• OS security, anti-virus software

Chapter 5
Figure 5.5 Tools Available to Achieve

E-commerce Security

Chapter 5
Encryption
• Encryption
• Transforms data into cipher text readable only by
sender and receiver
• Secures stored information and information
transmission
• Provides 4 of 6 key dimensions of e-commerce
security:
• Message integrity
• Nonrepudiation
• Authentication
• Confidentiality

Chapter 5
Symmetric Key Cryptography

• Sender and receiver use same digital key to encrypt and decrypt message
• Requires different set of keys for each transaction
• Strength of encryption: Length of binary key
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• Other standards use keys with up to 2,048 bits

Chapter 5
Public Key Cryptography

• Uses two mathematically related digital keys
• Public key (widely disseminated)
• Private key (kept secret by owner)
• Both keys used to encrypt and decrypt message
• Once key used to encrypt message, same key cannot be used to decrypt
message
• Sender uses recipient’s public key to encrypt message; recipient uses
private key to decrypt it

Chapter 5
Figure 5.6 Public Key Cryptography: A Simple

Case

Chapter 5
Public Key Cryptography Using Digital Signatures

and Hash Digests
• Sender applies a mathematical algorithm (hash function)
to a message and then encrypts the message and hash
result with recipient’s public key
• Sender then encrypts the message and hash result with
sender’s private key-creating digital signature-for
authenticity, nonrepudiation
• Recipient first uses sender’s public key to authenticate
message and then the recipient’s private key to decrypt
the hash result and message

Chapter 5
Figure 5.7 Public Key Cryptography E-commerce

with Digital
Signatures

Chapter 5
Digital Envelopes
• Address weaknesses of:
• Public key cryptography
• Computationally slow, decreased transmission speed, increased
processing time
• Symmetric key cryptography
• Insecure transmission lines
• Uses symmetric key cryptography to encrypt document
• Uses public key cryptography to encrypt and send symmetric key

Chapter 5
Figure 4.8 Public Key Cryptography: Creating a

Digital Envelope

Chapter 5
Digital Certificates and Public KeyE-commerce

Infrastructure
(PKI)
• Digital certificate includes:
• Name of subject/company
• Subject’s public key
• Digital certificate serial number
• Expiration date, issuance date
• Digital signature of CA
• Public Key Infrastructure (PKI):
• CAs and digital certificate procedures
• PGP

Chapter 5
Figure 5.9 Digital Certificates and E-commerce

Certification
Authorities

Chapter 5
Limitations of PKI
• Doesn’t protect storage of private key
• PKI not effective against insiders, employees
• Protection of private keys by individuals may be haphazard
• No guarantee that verifying computer of merchant is secure
• CAs are unregulated, self-selecting organizations

Chapter 5
Securing Channels of Communication

• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Establishes secure, negotiated client-server session
• Virtual Private Network (VPN)
• Allows remote users to securely access internal network
via the Internet
• Wireless (Wi-Fi) networks
• WPA2
• WPA3

Chapter 5
Figure 5.10 Secure Negotiated Sessions
Using SSL/TLS

Chapter 5
Protecting Networks
• Firewall
• Hardware or software that uses security policy to filter
packets
• Packet filters
• Application gateways
• Next-generation firewalls
• Proxy servers (proxies)
• Software servers that handle all communications from or
sent to the Internet
• Intrusion detection systems
• Intrusion prevention systems

Chapter 5
Figure 5.11 Firewalls and Proxy Servers

Chapter 5
Protecting Servers and Clients

• Operating system security enhancements
• Upgrades, patches
• Anti-virus software
• Easiest and least expensive way to prevent threats to system integrity
• Requires daily updates

Chapter 5
Management Policies, Business Procedures,

and Public Laws
• Worldwide, companies spend more than $86 billion on security hardware,
software, services
• Managing risk includes:
• Technology
• Effective management policies
• Public laws and active enforcement

Chapter 5
A Security Plan: Management Policies

• Risk assessment
• Security policy
• Implementation plan
• Security organization
• Access controls
• Authentication procedures, including biometrics
• Authorization policies, authorization management systems
• Security audit

Chapter 5
Figure 5.12 Developing an E-commerce Security

Plan

Chapter 5
Insight on Business: Are Biometrics the Solution for E-

commerce Security?
• What are biometrics?
• How could the use of biometrics make e-commerce more secure?
• What are some of the potential dangers in using biometrics?

Chapter 5
The Role of Laws and Public Policy

• Laws that give authorities tools for identifying, tracing, prosecuting
cybercriminals:
• USA Patriot Act
• Homeland Security Act
• Private and private-public cooperation
• US-CERT
• CERT Coordination Center
• Government policies and controls on encryption software
• OECD, G7/G8, Council of Europe, Wassener Arrangement

Chapter 5
E-commerce Payment Systems

• In U.S., credit and debit cards are primary online payment methods
• Other countries have different systems
• Online credit card purchasing cycle
• Credit card e-commerce enablers
• Limitations of online credit card payment
• Security, merchant risk
• Cost
• Social equity

Chapter 5
Figure 5.14 How an Online Credit Card Transaction

Works

Chapter 5
Alternative Online Payment Systems

• Online stored value systems:
• Based on value stored in a consumer’s bank,
checking, or credit card account
• Example: PayPal
• Other alternatives:
• Amazon Pay
• Visa Checkout, Mastercard’s MasterPass
• Dwolla

Chapter 5
Mobile Payment Systems

• Use of mobile phones as payment devices
• Established in Europe and Asia
• Expanding in United States
• Near field communication (NFC)
• Different types of mobile wallets
• Universal proximity mobile wallets, such as Apple Pay,
Google Pay, Samsung Pay, PayPal Mobile
• Branded store proximity wallets, offered by Walmart,
Target, Starbucks, others
• P2P mobile payment apps, such as Zelle, Venmo

Chapter 5
Blockchain
• Blockchain
• Enables organizations to create and verify transactions
nearly instantaneously using a distributed P2P database
(distributed ledger)
• Benefits:
• Reduces costs of verifying users, validating transactions,
and risks of storing and processing transaction
information
• Transactions cannot be altered retroactively and
therefore are more secure
• Foundation technology for cryptocurrencies and supply
chain management, as well as potential applications in
financial services and healthcare industries
Chapter 5
Figure 5.16 How Blockchain Works

Chapter 5
Cryptocurrencies
• Use blockchain technology and cryptography to create a purely digital
medium of exchange
• Bitcoin the most prominent example
• Value of Bitcoins have widely fluctuated
• Major issues with theft and fraud
• Some governments have banned Bitcoin, although it is gaining
acceptance in the U.S.
• Other cryptocurrencies (altcoins) include Ethereum/Ether, Ripple, Litecoin
and Monero
• Initial coin offerings (I C Os) being used by some startups to raise capital

Chapter 5
Electronic Billing Presentment andE-commerce

Payment (EBP
P)
• Online payment systems for monthly bills
• Four EBPP business models:
• Online banking model (most widely used)
• Biller-direct (monthly telephone bill)
• Mobile
• Consolidator (third party)
• All models are supported by EBPP infrastructure providers

Chapter 5
Careers in E-commerce
• Position: Cybersecurity Threat Management Team Trainee
• Qualification/Skills
• Preparing for the Interview
• Possible Interview Questions

E-Commerce Chapter 5

Uploaded by

Copyright:

Available Formats

E-Commerce Chapter 5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E-Commerce Chapter 5

Uploaded by

Copyright:

Available Formats

Chapter 5

E-commerce Security and Payment System

Instructor: Nguyen The Dai Nghia

The Rise of the Global Cyberattack

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

The E-commerce Security Environment

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

What is Good E-commerce Security?

• Security often breaks at weakest link

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Figure 5.1 The E-commerce Security Environment

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

The Tension between Security and Other Values

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Security Threats in the E-commerce Environment

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Figure 5.2 A Typical E-commerce Transaction

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Figure 5.3 Vulnerable Points in an

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Potentially Unwanted Programs

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Example of “Nigerian letter” scam

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Hacking, Cybervandalism, and Hacktivism

• White hats, black hats, grey hats

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Insight on Society: Equifax: ReallyE-commerce

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Credit Card Fraud/Theft

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Spoofing, Pharming, and Spam (Junk) Websites

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Sniffing and Man-In-The-Middle Attacks

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Denial of Service (DoS) and Distributed Denial of

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Poorly Designed Software

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Social Network Security Issues

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Mobile Platform Security Issues

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Insight on Technology: Think YourE-commerce

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Cloud Security Issues

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Internet of Things Security Issues

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Figure 5.5 Tools Available to Achieve

Copyright © 2020 Pearson Education Ltd. All Rights Reserved

Copyright © 2020 Pearson Education Ltd. All Rights Reserved