In this chapter, the learning objectives are: Describe how various forms of encryption technology help protect the security of messages sent over the internet, identify the tools used to establish secure internet communications channels, identify the tools used to protect networks, servers, and clients, appreciate the importance of policies, procedures, and laws in creating security.
CSC 330 E-Commerce Teacher Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad Virtual Campus, CIIT COMSATS Institute of Information Technology T1-Lecture-10 T1-Lecture-10 E Commerce Technology Solution, Management policies and Payment Systems Chapter-04 Part-II For Lecture Material/Slides Thanks to: Copyright © 2010 Pearson Education, Inc Objectives Describe how various forms of encryption technology help protect the security of messages sent over the Internet Identify the tools used to establish secure Internet communications channels Identify the tools used to protect networks, servers, and clients Appreciate the importance of policies, procedures, and laws in creating security T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-3 Tools Available to Achieve Site Security Figure 5.7, Page 287 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-4 Encryption Transforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides security: T1-Lecture-9 of key dimensions of e-commerce Message integrity Nonrepudiation Authentication Confidentiality Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-5 Dimensions of E-commerce Security T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-6 Symmetric Key Encryption Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction Strength of encryption ◦Length of binary key used to encrypt data Advanced Encryption Standard (AES) ◦Most widely used symmetric key encryption ◦Uses 128-, 192-, and 256-bit encryption keys Other bits T1-Lecture-9 standards use keys with up to 2,048 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-7 Public Key Encryption Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner) Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message Sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-8 Public Key Cryptography—A Simple Case T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 1-9 Public Key Encryption Using Digital Signatures and Hash Digests Hash function: ◦Mathematical algorithm that produces fixed-length number called message or hash digest Hash digest of message sent to recipient along with message to verify integrity Hash digest and message encrypted with recipient’s public key Entire cipher text then encrypted with sender’s private key—creating digital signature—for authenticity, nonrepudiation T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 110 Developing an E-commerce Security Plan T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 124 The Role of Laws and Public Policy Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals: The Ministry of Information Technology (MoIT) has finalized a draft proposal to make provision for the prevention of electronic crimes in the country The Act is named as the Prevention of Electronic Crimes Act, 2014 IT Policy of Pakistan covers: ◦ Multimedia Convergence Act ◦ Electronic Government Act ◦ Electronic Commerce Act ◦ Protection of privacy, security, and confidentiality ◦ Legislation and Regulations ◦ Digital Signature Act ◦ Computer Crimes Act T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 125 Types of Traditional Payment Systems Cash Most common form of payment in terms of number of transactions Instantly convertible into other forms of value without intermediation Payment through Check transfer Second most common payment form in the United States in terms of number of transactions Credit card Credit card associations (VISA & Master Cards) Issuing banks Processing centers T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 126 Types of Traditional Payment Systems Stored Value Funds deposited into account, from which funds are paid out or withdrawn as needed, e.g., debit cards, gift certificates, etc Peer-to-peer payment systems e.g prepaid cards Accumulating Balance Accounts that accumulate expenditures and to which consumers make period payments Examples: utility bills, phone, American Express accounts T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 127 Table 5.6, Page 312 Source: Adapted from MacKie-Mason and White, 1996 T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 128 E-commerce Payment Systems Credit cards 55% of online payments in 2009 Debit cards 28% of online payments in 2009 Limitations of online credit card payment Security : no security for both client and merchant Cost: ◦almost no cost to customer if paid in time; ◦Merchant needs to pay 3.5% to bank if used intermediaries like PAYPAL the additional charges to 1.5% T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 129 How an Online Credit Transaction Works T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 130 E-commerce Payment Systems Digital wallets Emulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchant Early efforts to popularize failed Newest effort: Google Checkout Digital cash Value storage and exchange using tokens Most early examples have disappeared; protocols and practices too complex T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 131 E-commerce Payment Systems Online stored value systems Based on value stored in a consumer’s bank, checking, or credit card account PayPal, smart cards Digital accumulated balance payment Users accumulate a debit balance for which they are billed at the end of the month Digital checking: Extends functionality of existing checking accounts for use online T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 132 Wireless Payment Systems Use of mobile handsets as payment devices well-established in Europe, Japan, South Korea Japanese mobile payment systems ◦E-money (stored value) ◦Mobile debit cards ◦Mobile credit cards Not as well established yet in the United States ◦Majority of purchases are digital content for use on cell phone T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 133 Is your smart phone secure? All mobile users carry the privacy with them Many free applications are built to grab information from smart phones Theses applications work for hacking the pictures, passwords and bank account details etc Smartphones are susceptible to browser-based malware T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 134 The Players: Hackers, Crackers, and Attackers Original hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems Over the time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks Underground hackers: ◦http://www.defcon.org/ ◦http://www.blackhat.com/ ◦http://www.2600.com/ T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 135 The Players: Hackers, Crackers & Attackers … Uber Haxor ◦Wizard Internet Hackers ◦Highly capable attackers ◦Responsible for writing most of the attacker tools Crackers People who engage in unlawful or damaging hacking short for “criminal hacking” cracking software keys and securities for piracy Other attackers ◦“Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sites ◦Scorned by both the Law enforcement and Hackers communities T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 136 Script Kiddies [very common] The lowest form of cracker; script kiddies mischief with scripts and rootkits written by others, often using tools without understanding People with limited technical expertise using easyto-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems Since most of these tools are fairly wellknown by the security community, the adverse impact of such actions is usually minimal People who cannot program themselves, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; Reference: http://www.catb.org/jargon/html/S/script-kiddies.html http://www.tamingthebeast.net/articles/scriptkiddies.htm T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 137 End of: T1-Lecture-10 E Commerce Technology Solution, Management policies and Payment Systems Chapter-04 Part-II Thank You T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 138 ...T1 -Lecture- 10 E Commerce Technology Solution, Management policies and Payment Systems Chapter- 04 Part-II For Lecture Material/Slides Thanks to: Copyright... ◦Authorization policies, authorization management systems Security T1 -Lecture- 9 audit Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 123 Developing an E-commerce Security Plan T1 -Lecture- 9... Adapted from MacKie-Mason and White, 1996 T1 -Lecture- 9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc 128 E-commerce Payment Systems Credit cards 55% of online payments in 2009