Laudon-Traver Ec13 PPT ch05

07-Oct-17
E-commerce 2017
business. technology. society.
13th edition
E-commerce 2017 Chapter 5

business. technology. society. 13th edition E-commerce Security and
Payment Systems
Accessibility standards-compliant
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
Learning Objectives Cyberwar: MAD 2.0

5.1 Understand the scope of e-commerce crime and security problems, the key
•
dimensions of e-commerce security, and the tension between security and other values. • Class Discussion
• 5.2 Identify the key security threats in the e-commerce environment. – What is the difference between hacking and cyberwar?
• 5.3 Describe how technology helps secure Internet communications channels and protect – Why has cyberwar become potentially more
networks, servers, and clients. devastating in the past decade?
• 5.4 Appreciate the importance of policies, procedures, and laws in creating security. – Is it possible to find a political solution to MAD 2.0?
• 5.5 Identify the major e-commerce payment systems in use today. – What damage can be done by cyberweapons like
• 5.6 Describe the features and functionality of electronic billing presentment and payment Flame and Snake?
systems.
1
07-Oct-17
The E-commerce Security Environment What Is Good E-commerce Security?

• Overall size and losses of cybercrime unclear • To achieve highest degree of security
– Reporting issues – New technologies
– Organizational policies and procedures
• 2016 survey: Average total cost of data breach to – Industry standards and government laws
U.S. corporations was $4 million
• Other factors
• Low-cost web attack kits – Time value of money
• Online credit card fraud – Cost of security vs. potential loss
– Security often breaks at weakest link
• Underground economy marketplace
Figure 5.1: The E-commerce Security Table 5.3: Customer and Merchant
Environment Perspectives on the Different Dimensions of
E-commerce Security
DIMENSION CUSTOMER’S PERSPECTIVE MERCHANT’S PERSPECTIVE
Integrity Has information I transmitted or Has data on the site been altered without
received been altered? authorization? Is data being received from
customers valid?
Nonrepudiation Can a party to an action with me later Can a customer deny ordering products?
deny taking the action?
Authenticity Who am I dealing with? How can I be What is the real identity of the customer?
assured that the person or entity is who
they claim to be?
Confidentiality Can someone other than the intended Are messages or confidential data accessible to
recipient read my messages? anyone other than those authorized to view
them?
Privacy Can I control the use of information What use, if any, can be made of personal data
about myself transmitted to an collected as part of an e-commerce transaction?
e-commerce merchant? Is the personal information of customers being
used in an unauthorized manner?
Availability Can I get access to the site? Is the site operational?
2
07-Oct-17
The Tension Between Security and Security Threats in the E-commerce

Other Values Environment
• Ease of use • Three key points of vulnerability in e-commerce
– The more security measures added, the more difficult a site is to environment:
use, and the slower it becomes – Client
• Public safety and criminal uses of the Internet – Server
– Use of technology by criminals to plan crimes or threaten nation- – Communications pipeline (Internet communications channels)
state
Figure 5.2: A Typical E-commerce Figure 5.3: Vulnerable Points in an E-

Transaction commerce Transaction
3
07-Oct-17
Malicious Code Potentially Unwanted Programs

• Exploits and exploit kits • Browser parasites
• Maladvertising – Monitor and change user’s browser
• Drive-by downloads • Adware
• Viruses – Used to call pop-up ads
• Worms • Spyware
• Ransomware (scareware) – Tracks user’s keystrokes, e-mails, IMs, etc.
• Trojan horses
• Backdoors
• Bots, botnets
Phishing Hacking, Cybervandalism, and Hacktivism

• Any deceptive, online attempt by a third party to • Hacking
obtain confidential information for financial gain – Hackers vs. crackers
– White hats, black hats, grey hats
• Tactics – Tiger teams
– Social engineering – Goals: cybervandalism, data breaches
– E-mail scams
– Spear phishing • Cybervandalism:
– Disrupting, defacing, destroying website
• Used for identity fraud and theft
• Hacktivism
4
07-Oct-17
Insight on Society: The Ashley Madison

Data Breaches Data Breach
• When organizations lose control over corporate • Class Discussion
information to outsiders – What organizational and technological failures led to the data
breach at Ashley Madison?
• Nine mega-breaches in 2015 – What technical solutions are available to combat data breaches?
– Have you or anyone you know experienced a data breach?
• Leading causes
– Hacking
– Employee error/negligence
– Accidental e-mail/Internet exposure
– Insider theft
Credit Card Fraud/Theft Identity Fraud/Theft

• Stolen credit card incidences about 0.8% of all • Unauthorized use of another person’s personal
online card transactions data for illegal financial benefit
– Social security number
• Hacking and looting of corporate servers is – Driver’s license
primary cause – Credit card numbers
• Central security issue: establishing customer – Usernames/passwords
identity • 2015: 13 million U.S. consumers suffered identity

– E-signatures fraud
– Multi-factor authentication
– Fingerprint identification
5
07-Oct-17
Spoofing, Pharming, and Spam (Junk)

Websites Sniffing and Man-in-the-Middle Attacks
• Spoofing • Sniffer
– Attempting to hide true identity by using someone else’s e-mail or – Eavesdropping program monitoring networks
IP address – Can identify network trouble spots
– Can be used by criminals to steal proprietary information
• Pharming
– Automatically redirecting a web link to a different address, to • E-mail wiretaps
benefit the hacker
– Recording e-mails at the mail server level
• Spam (junk) websites • Man-in-the-middle attack
– Offer collection of advertisements for other sites, which may
– Attacker intercepts and changes communication between two
contain malicious code
parties who believe they are communicating directly
Denial of Service (DoS) and Distributed

Denial of Service (DDoS) Attacks Insider Attacks
• Denial of service (DoS) attack • Largest threat to business institutions come from
– Flooding website with pings and page requests insider embezzlement
– Overwhelm and can shut down site’s web servers
– Often accompanied by blackmail attempts • Employee access to privileged information
– Botnets • Poor security procedures
• Distributed Denial of Service (DDoS) attack • Insiders more likely to be source of cyberattacks
– Uses hundreds or thousands of computers to attack target network
than outsiders
– Can use devices from Internet of Things, mobile devices
• DDoS smokescreening
6
07-Oct-17
Poorly Designed Software Social Network Security Issues

• Increase in complexity of and demand for software • Social networks an environment for:
has led to increase in flaws and vulnerabilities – Viruses, site takeovers, identity fraud, malware-loaded apps, click
hijacking, phishing, spam
• SQL injection attacks
• Manual sharing scams
• Zero-day vulnerability – Sharing of files that link to malicious sites
• Heartbleed bug • Fake offerings, fake Like buttons, and fake apps
Insight on Technology: Think Your

Mobile Platform Security Issues Smartphone Is Secure?
• Little public awareness of mobile device • Class Discussion
vulnerabilities – Which mobile operating system do you think is more
secure – Apple’s iOS or Google’s Android?
• 2015 survey: 3 million apps of 10 million are
– What steps, if any, do you take to make your
malware smartphone more secure?
• Vishing – What qualities of apps make them a vulnerable security
point in smartphone use?
• Smishing
• SMS spoofing
• Madware
7
07-Oct-17
Cloud Security Issues Internet of Things Security Issues

• DDoS attacks • Challenging environment to protect
• Infrastructure scanning • Vast quantity of interconnected links
• Lower-tech phishing attacks yield passwords and • Near identical devices with long service lives
access
• Many devices have no upgrade features
• Use of cloud storage to connect linked accounts
• Little visibility into workings, data, or security
• Lack of encryption and strong security procedures
Figure 5.5: Tools Available to Achieve Site

Technology Solutions Security
• Protecting Internet communications
– Encryption
• Securing channels of communication

– SSL, TLS, VPNs, Wi-Fi
• Protecting networks
– Firewalls, proxy servers, IDS, IPS
• Protecting servers and clients

– OS security, anti-virus software
8
07-Oct-17
Encryption Symmetric Key Cryptography

• Encryption • Sender and receiver use same digital key to
– Transforms data into cipher text readable only by sender and encrypt and decrypt message
receiver
– Secures stored information and information transmission • Requires different set of keys for each transaction
– Provides 4 of 6 key dimensions of e-commerce security:
 Message integrity
• Strength of encryption: Length of binary key
 Nonrepudiation
 Authentication
• Data Encryption Standard (DES)
 Confidentiality
• Advanced Encryption Standard (AES)
• Other standards use keys with up to 2,048 bits
Figure 5.6: Public Key Cryptography: A

Public Key Cryptography Simple Case
• Uses two mathematically related digital keys
– Public key (widely disseminated)
– Private key (kept secret by owner)
• Both keys used to encrypt and decrypt message

• Once key used to encrypt message, same key
cannot be used to decrypt message
• Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it
9
07-Oct-17
Public Key Cryptography Using Digital Figure 5.7: Public Key Cryptography with
Signatures and Hash Digests Digital Signatures
• Sender applies a mathematical algorithm (hash function) to
a message and then encrypts the message and hash
result with recipient’s public key
• Sender then encrypts the message and hash result with
sender’s private key—creating digital signature—for
authenticity, nonrepudiation
• Recipient first uses sender’s public key to authenticate
message and then the recipient’s private key to decrypt the
hash result and message
Figure 5.8: Creating a Digital Envelope

Digital Envelopes
• Address weaknesses of:
– Public key cryptography
 Computationally slow, decreased transmission speed, increased processing
time
– Symmetric key cryptography
 Insecure transmission lines
• Uses symmetric key cryptography to encrypt

document
• Uses public key cryptography to encrypt and send
symmetric key
10
07-Oct-17
Digital Certificates and Public Key Figure 5.9: Digital Certificates and
Infrastructure (PKI) Certification Authorities
• Digital certificate includes:
– Name of subject/company
– Subject’s public key
– Digital certificate serial number
– Expiration date, issuance date
– Digital signature of CA
• Public Key Infrastructure (PKI):

– CAs and digital certificate procedures
– PGP
Limitations of PKI Securing Channels of Communication

• Does not protect storage of private key • Secure Sockets Layer (SSL)/Transport Layer
– PKI not effective against insiders, employees Security (TLS)
– Protection of private keys by individuals may be haphazard – Establishes secure, negotiated client–server session
• No guarantee that verifying computer of merchant • Virtual Private Network (VPN)

is secure – Allows remote users to securely access internal network via the
Internet
• CAs are unregulated, self-selecting organizations
• Wireless (Wi-Fi) networks
– WPA2
11
07-Oct-17
Figure 5.10: Secure Negotiated Sessions

Using SSL/TLS Protecting Networks
• Firewall
– Hardware or software that uses security policy to filter packets
 Packet filters
 Application gateways
– Next-generation firewalls
• Proxy servers (proxies)

– Software servers that handle all communications from or sent to
the Internet
• Intrusion detection systems

• Intrusion prevention systems
Figure 5.11: Firewalls and Proxy Servers

Protecting Servers and Clients
• Operating system security enhancements
– Upgrades, patches
• Anti-virus software
– Easiest and least expensive way to prevent threats to system
integrity
– Requires daily updates
12
07-Oct-17
Management Policies, Business Procedures,

and Public Laws A Security Plan: Management Policies
• Worldwide, companies spend more than $81 • Risk assessment
billion on security hardware, software, services
• Security policy
• Managing risk includes:
• Implementation plan
– Technology
– Security organization
– Effective management policies
– Access controls
– Public laws and active enforcement
– Authentication procedures, including biometrics
– Authorization policies, authorization management systems
• Security audit
Figure 5.12: Developing an E-commerce

Security Plan The Role of Laws and Public Policy
• Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
– USA Patriot Act
– Homeland Security Act
• Private and private-public cooperation

– US-CERT
– CERT Coordination Center
• Government policies and controls on encryption

software
– OECD, G7/G8, Council of Europe, Wassener Arrangement
13
07-Oct-17
Figure 5.14: How an Online Credit

E-commerce Payment Systems Transaction Works
• In U.S., credit and debit cards are primary online
payment methods
– Other countries have different systems
• Online credit card purchasing cycle

• Credit card e-commerce enablers
• Limitations of online credit card payment
– Security, merchant risk
– Cost
– Social equity
Alternative Online Payment Systems Mobile Payment Systems

• Online stored value systems: • Use of mobile phones as payment devices
– Based on value stored in a consumer’s bank, checking, or credit – Established in Europe and Asia
card account – Expanding in United States
– Example: PayPal  Apple Pay, Android Pay, Samsung Pay, PayPal, Square
• Other alternatives: • Near field communication (NFC)

– Pay with Amazon
– Visa Checkout, Mastercard’s MasterPass
• Social/Mobile peer-to-peer payment systems
– Bill Me Later • Sending money through mobile app or website
– WUPay, Dwolla, Stripe
• Regulation of mobile wallets and rechargeable
cards
14
07-Oct-17
Digital Cash and Virtual Currencies Insight on Business: Bitcoin

• Digital cash • Class Discussion
– Based on algorithm that generates unique tokens that can be – What are some of the benefits of using a digital currency?
used in “real” world – What are the risks involved to the user?
– Example: Bitcoin – What are the political and economic repercussions of a digital
currency?
• Virtual currencies – Have you or anyone you know ever used Bitcoin?
– Circulate within internal virtual world
– Example: Linden Dollars in Second Life, Facebook Credits
– Typically used for purchasing virtual goods
Electronic Billing Presentment and Payment

(EBPP)
• Online payment systems for monthly bills
• Over 55% of all bill payments
• Four EBPP business models:
– Online banking model (most widely used)
– Biller-direct
– Mobile
– Consolidator
• All models are supported by EBPP infrastructure

providers
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
15

Laudon-Traver Ec13 PPT ch05

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Laudon-Traver Ec13 PPT ch05

Caricato da

Copyright:

Formati disponibili

07-Oct-17

E-commerce 2017 Chapter 5

Learning Objectives Cyberwar: MAD 2.0

The E-commerce Security Environment What Is Good E-commerce Security?

The Tension Between Security and Security Threats in the E-commerce

Figure 5.2: A Typical E-commerce Figure 5.3: Vulnerable Points in an E-

Malicious Code Potentially Unwanted Programs

Phishing Hacking, Cybervandalism, and Hacktivism

Insight on Society: The Ashley Madison

Credit Card Fraud/Theft Identity Fraud/Theft

identity • 2015: 13 million U.S. consumers suffered identity

Spoofing, Pharming, and Spam (Junk)

Denial of Service (DoS) and Distributed

Poorly Designed Software Social Network Security Issues

Insight on Technology: Think Your

Cloud Security Issues Internet of Things Security Issues

Figure 5.5: Tools Available to Achieve Site

• Securing channels of communication

• Protecting servers and clients

Encryption Symmetric Key Cryptography

Figure 5.6: Public Key Cryptography: A

• Both keys used to encrypt and decrypt message

Figure 5.8: Creating a Digital Envelope

• Uses symmetric key cryptography to encrypt

• Public Key Infrastructure (PKI):

Limitations of PKI Securing Channels of Communication

• No guarantee that verifying computer of merchant • Virtual Private Network (VPN)

Figure 5.10: Secure Negotiated Sessions

• Proxy servers (proxies)

• Intrusion detection systems

Figure 5.11: Firewalls and Proxy Servers

Management Policies, Business Procedures,

Figure 5.12: Developing an E-commerce

• Private and private-public cooperation

• Government policies and controls on encryption

Figure 5.14: How an Online Credit

• Online credit card purchasing cycle

Alternative Online Payment Systems Mobile Payment Systems

• Other alternatives: • Near field communication (NFC)

Digital Cash and Virtual Currencies Insight on Business: Bitcoin

Electronic Billing Presentment and Payment

• All models are supported by EBPP infrastructure

Potrebbero piacerti anche