E Commerce Technology Solution, Management policies and Payment Systems - Chapter-04 - Part 2

CSC 330 E-CommerceTeacher Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad Virtual Campus, CIIT COMSATS Institute of Information TechnologyT1-Lecture-10T1-Lecture-10E Commerce Technology Solution, Management policies and Payment SystemsChapter-04Part-IIFor Lecture Material/Slides Thanks to: Copyright © 2010 Pearson Education, IncObjectivesDescribe how various forms of encryption technology help protect the security of messages sent over the Internet.Identify the tools used to establish secure Internet communications channels.Identify the tools used to protect networks, servers, and clients.Appreciate the importance of policies, procedures, and laws in creating security.T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-3Tools Available to Achieve Site SecurityFigure 5.7, Page 287T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-4EncryptionTransforms data into cipher text readable only by sender and receiverSecures stored information and information transmissionProvides 4 of 6 key dimensions of e-commerce security: Message integrityNonrepudiationAuthenticationConfidentialityT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-5Dimensions of E-commerce SecurityT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-6Symmetric Key EncryptionSender and receiver use same digital key to encrypt and decrypt messageRequires different set of keys for each transactionStrength of encryption Length of binary key used to encrypt dataAdvanced Encryption Standard (AES)Most widely used symmetric key encryptionUses 128-, 192-, and 256-bit encryption keysOther standards use keys with up to 2,048 bitsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-7Public Key EncryptionUses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)Both keys used to encrypt and decrypt messageOnce key used to encrypt message, same key cannot be used to decrypt messageSender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt itT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-8Public Key Cryptography—A Simple CaseT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-9Public Key Encryption Using Digital Signatures and Hash DigestsHash function:Mathematical algorithm that produces fixed-length number called message or hash digestHash digest of message sent to recipient along with message to verify integrityHash digest and message encrypted with recipient’s public keyEntire cipher text then encrypted with sender’s private key—creating digital signature—for authenticity, nonrepudiation T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-10Public Key Cryptography with Digital SignaturesFigure 5.9, Page 291T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-11Digital EnvelopesAddresses weaknesses of:Public key encryptionComputationally slow, decreased transmission speed, increased processing timeSymmetric key encryptionInsecure transmission linesUses symmetric key encryption to encrypt document Uses public key encryption to encrypt and send symmetric keyT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-12Creating a Digital EnvelopeFigure 5.10, Page 293T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-13Digital Certificates and Public Key Infrastructure (PKI)Digital certificate includes:Name of subject/companySubject’s public keyDigital certificate serial numberExpiration date, issuance dateDigital signature of certification authority (trusted third party institution) that issues certificatePublic Key Infrastructure (PKI): CAs and digital certificate procedures that are accepted by all partiesT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-14Digital Certificates and Certification AuthoritiesFigure 5.11, Page 294T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-15Limits to Encryption SolutionsDoesn’t protect storage of private keyPKI not effective against insiders, employeesProtection of private keys by individuals may be haphazard (may be stolen from Laptop/Desktop)No guarantee that verifying computer of merchant is secureCAs are unregulated, self-selecting organizationsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-16Securing Channels of CommunicationSecure Sockets Layer (SSL): Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, are encryptedS-HTTP: Provides a secure message-oriented communications protocol designed for use in conjunction with HTTPVirtual Private Network (VPN): Allows remote users to securely access internal network via the Internet, using Point-to-Point Tunneling Protocol (PPTP)T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-17Secure Negotiated Sessions Using SSLT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-18Protecting NetworksFirewallHardware or software that filters packetsPrevents some packets from entering the network based on security policyTwo main methods:Packet filtersApplication gatewaysProxy servers (proxies)Software servers that handle all communications originating from or being sent to the InternetT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-19Firewalls and Proxy ServersT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-20Protecting Servers and ClientsOperating system security enhancementsUpgrades, patchesAnti-virus software Easiest and least expensive way to prevent threats to system integrityRequires daily updatesT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-21Management Policies, Business Procedures, and Public LawsManaging risk includesTechnologyEffective management policiesPublic laws and active enforcementU.S. firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in 2009)T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-22A Security Plan: Management PoliciesPerform a risk assessmentDevelop a security policyDevelop and Implementation planCreate Security organizationAccess controlsAuthentication procedures, including biometricsAuthorization policies, authorization management systemsSecurity auditT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-23Developing an E-commerce Security PlanT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-24The Role of Laws and Public PolicyLaws that give authorities tools for identifying, tracing, prosecuting cybercriminals:The Ministry of Information Technology (MoIT) has finalized a draft proposal to make provision for the prevention of electronic crimes in the country.The Act is named as the Prevention of Electronic Crimes Act, 2014.IT Policy of Pakistan covers:Multimedia Convergence ActElectronic Government ActElectronic Commerce ActProtection of privacy, security, and confidentiality.Legislation and RegulationsDigital Signature ActComputer Crimes ActT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-25Types of Traditional Payment SystemsCashMost common form of payment in terms of number of transactionsInstantly convertible into other forms of value without intermediationPayment through Check transferSecond most common payment form in the United States in terms of number of transactionsCredit cardCredit card associations (VISA & Master Cards)Issuing banksProcessing centersT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-26Types of Traditional Payment SystemsStored ValueFunds deposited into account, from which funds are paid out or withdrawn as needed, e.g., debit cards, gift certificates, etc.Peer-to-peer payment systems e.g. prepaid cards Accumulating BalanceAccounts that accumulate expenditures and to which consumers make period paymentsExamples: utility bills, phone, American Express accountsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-27Table 5.6, Page 312Source: Adapted from MacKie-Mason and White, 1996.T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-28E-commerce Payment SystemsCredit cards55% of online payments in 2009 Debit cards28% of online payments in 2009Limitations of online credit card paymentSecurity : no security for both client and merchantCost: almost no cost to customer if paid in time;Merchant needs to pay 3.5% to bank if used intermediaries like PAYPAL the additional charges 1 to 1.5%T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-29How an Online Credit Transaction WorksT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-30E-commerce Payment SystemsDigital walletsEmulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchantEarly efforts to popularize failedNewest effort: Google CheckoutDigital cashValue storage and exchange using tokens Most early examples have disappeared; protocols and practices too complexT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-31E-commerce Payment SystemsOnline stored value systemsBased on value stored in a consumer’s bank, checking, or credit card accountPayPal, smart cardsDigital accumulated balance paymentUsers accumulate a debit balance for which they are billed at the end of the monthDigital checking:Extends functionality of existing checking accounts for use onlineT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-32Wireless Payment SystemsUse of mobile handsets as payment devices well-established in Europe, Japan, South KoreaJapanese mobile payment systemsE-money (stored value)Mobile debit cardsMobile credit cardsNot as well established yet in the United StatesMajority of purchases are digital content for use on cell phoneT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-33Is your smart phone secure?All mobile users carry the privacy with themMany free applications are built to grab information from smart phonesTheses applications work for hacking the pictures, passwords and bank account details etc.Smartphones are susceptible to browser-based malwareT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-34The Players: Hackers, Crackers, and AttackersOriginal hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systemsOver the time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks.Underground hackers: T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-35The Players: Hackers, Crackers & Attackers Uber Haxor Wizard Internet Hackers Highly capable attackersResponsible for writing most of the attacker tools Crackers People who engage in unlawful or damaging hacking short for “criminal hacking” cracking software keys and securities for piracy.Other attackers“Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sitesScorned by both the Law enforcement and Hackers communities T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-36Script Kiddies[very common] The lowest form of cracker; script kiddies do mischief with scripts and rootkits written by others, often using tools without understanding. People with limited technical expertise using easy-to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal.People who cannot program themselves, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; Reference: Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-37End of: T1-Lecture-10E Commerce Technology Solution, Management policies and Payment SystemsChapter-04Part-IIThank YouT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-38