1 Final Review 2 E-Commerce Security Part I – Threats.

1

Final Review

2

E-Commerce SecurityPart I – Threats

3

Objectives

• Threats to – intellectual property rights– client computers– communication channels between

computers– server computers

4

Security Overview

• Computer security is the protection of assets from unauthorized access, use, alteration, or destruction.

• Two types of security:• Physical security - includes tangible protection

devices, such as alarms and guards.

• Logical security - protection of assets using nonphysical means.

5

Security Overview

• Any act or object that poses a danger to computer assets is known as a threat.

• Countermeasure is a procedure that recognizes, reduces, or eliminates a threat.

6

Security Overview

• An eavesdropper is a person or device that can listen in on and copy Internet transmissions.

• People who write programs or manipulate technologies to obtain unauthorized access to computers and networks are called crackers or hackers.

7

Privacy vs. Security

• Privacy – is the protection of individual rights to nondisclosure

• Security – provides protection from inadvertent information disclosure

8

Privacy

• Privacy Act of 1974 – information you provide to a government agency will not be disclosed to anyone outside of that agency.

• Cookie – is a small data file that some Web sites write to your hard drive when you view the Web site. This file can be retrieved to any server in the domain that creates this file.

9

Computer Security Classification

• Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source.

• Integrity refers to preventing unauthorized data modification.

• Necessity refers to preventing data delays or denials.

10

Security Policy

• Specific elements of a security policy address the following points:• Authentication: Who is trying to access the

electronic commerce site?• Access control: Who is allowed to log on to

and access the electronic commerce site?• Secrecy: Who is permitted to view selected

information?• Data integrity: Who is allowed to change

data, and who is not?• Audit: Who or what causes selected events

to occur and when?

11

Intellectual Property Threats

• Copyright is the protection of expression.

• Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas.

• U.S. Copyright Act of 1976 - Copyright Clearance Center provides copyright information.

12

Domain Names

• Issues of intellectual property rights for Internet Domain Names:• Cybersquatting• Name changing• Name stealing

13

Cybersquatting

• Cybersquatting is the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL.

• On November 29, 1999, the U.S. Anticybersquatting Consumer Protection Act was signed into law.

14

Name Changing

• Name changing occurs when someone registers purposely misspelled variations of well-known domain names.

• The practice of name changing is annoying to affected online businesses and confusing to their customers.

15

Name Stealing

• Name stealing occurs when someone changes the ownership of the domain name assigned to another site and owner.

• After domain name ownership is changed the name stealer can manipulate the site.

16

Active Content

• A Trojan horse is a program hidden inside another program or Web page that masks its true purpose.

• A Zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers.

• Malicious ‘cookies’ can destroy files stored on client computers.

17

Applets/JavaScript/VBScript

• Java applet adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer.

• JavaScript/VBScript is a scripting language that enables Web page designers to build active content.

• JavaScript/VBScript can invoke privacy and integrity attacks by executing code that destroys your hard disk.

18

ActiveX Controls

• ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks.

• Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations.

19

Virus• A virus is software that attaches itself to

another program and can cause damage when the host program is activated.

• Worm viruses replicate themselves on other machines.

• A macro virus is coded as a small program and is embedded in a file.

• The term steganography describes information that is hidden within another piece of information.

20

Communication Channel Threats

• The Internet is not at all secure.

• Messages on the Internet travel a random path from a source node to a destination node.

• Internet channel security threats include:• secrecy• integrity• necessity

21

Secrecy Threats• Secrecy is the prevention of unauthorized

information disclosure – it is a technical issue requiring sophisticated physical and logical mechanisms.

• Privacy is the protection of individual rights to nondisclosure - Privacy protection is a legal matter.

22

Secrecy Threats

• Web users are continually revealing information about themselves when they use the Web.

• Sniffer programs provide the means to tap into the Internet and record information that passes through a particular computer (router) from its source to its origin. The programs can read email messages as well as E-commerce information.

23

Integrity Threats• An integrity threat exists when an

unauthorized party can alter a message stream of information.

• Cyber vandalism is an example of an integrity violation.

• Masquerading or spoofing is one means of creating havoc on Web sites.

24

Necessity Threats

• The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely.

• Necessity threats are also known as delay, denial, or denial-of-service (DOS) threats.

25

Web Server Threats

• Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally.

• Server threats include:• Web server threats• database threats• common gateway interface threats• other programming threats

26

Common Gateway Interface Threats

• Because CGIs are programs, they present a security threat if misused.

• CGI scripts can be set up to run with high privileges, which can cause a threat.

• CGI programs or scripts can reside just about anywhere on the Web server, which makes them hard to track down and manage.

27

Other Programming Threats

• Another serious Web server attack can come from programs executed by the server.

• A mail bomb occurs when thousands of people send a message to a particular address.

28

E-Commerce SecurityPart II – Security Techniques

29

Objectives

• Specific security objectives for protecting– Web business assets and customer privacy– client computers from security threats– information as it travels through the Internet

communication channel– the security of Web server computers

• Organizations that promote computer, network, and Internet security

30

Protecting Privacy

• Cookies contain private information that can include credit card data, passwords, and login information.

• The best way to protect your privacy is to disable cookies entirely.

31

Protecting Client Computers

• Client computers must be protected from threats.

• Active content can be one of the most serious threats to client computers.

32

Digital Certificates

• A digital certificate verifies that a user or Web site is who it claims to be.

• The digital certificate contains a means for sending an encrypted message to the entity that sent the original Web page or message.

• A Web site’s digital certificate is a shopper’s assurance that the Web site is the real store.

33

Using Antivirus Software

• Antivirus software is a defense strategy.

• One of the most likely places to find a virus is in an electronic mail attachment.

• Some Web e-mail systems let users scan attachments using antivirus software before downloading e-mail.

34

Communication Channel Security

• Integrity violations can occur whenever a message is altered while in transit between the sender and receiver.

• Ensuring transaction integrity, two separate algorithms are applied to a message:• Hash function• Digital signature

35

Hash Functions• Hash algorithms are one-way functions.

• A hash algorithm has these characteristics:• It uses no secret key.• The message digest cannot be inverted

to produce the original information.• The algorithm and information about

how it works are publicly available.

36

Digital Signature• An encrypted message digest is called a digital

signature.

• A purchase order accompanied by the digital signature provides the merchant positive identification of the sender and assures the merchant that the message was not altered.

• Used together, public-key encryption, message digests, and digital signatures provide quality security for Internet transactions.

37

Digital Signatures

38

Encryption• Encryption is the coding of information by a

mathematically based program and a secret key to produce a string of characters that is unintelligible.

• The program that transforms text into cipher text is called an encryption program.

• Upon arrival, each message is decrypted using a decryption program.

39

Three Types of Encryption

• “Hash coding” is a process that uses a hash algorithm to calculate a hash value from a message.

• “Asymmetric encryption,” or public-key encryption, encodes messages by using two mathematically related numeric keys: a public key and a private key.

• “Symmetric encryption,” or private-key encryption, encodes a message using a single numeric key to encode and decode data.

40

Encryption Methods

41

Encryption: Single Key

MakikoTakao

Message

Public Keys

Makiko 29Takao 17

Message

Encrypted

Private Key13 Private Key

37UseTakao’sPublic key

UseTakao’sPrivate key

Makiko sends message to Takao that only he can read.

42

Dual Key: Authentication

Makiko

TakaoPublic Keys

Makiko 29Takao 17

Private Key13

Private Key37

UseTakao’sPublic key

UseTakao’sPrivate key

Takao sends message to Makiko:His key guarantees it came from him.Her key prevents anyone else from reading message.

Message

Message

Encrypt+T

Encrypt+T+M

Encrypt+M

UseMakiko’s

Public key

UseMakiko’s

Private key

Transmission

43

Protecting the Web Server

• Security solutions for commerce servers:• Access control and authentication• Operating system controls• Firewall

44

Access Control & Authentication

• Access control and authentication refers to controlling who and what has access to the commerce server.

• Authentication is performed using digital certificates.

• Web servers often provide access control list security to restrict file access to selected users.

45

Access Control & Authentication

• The server can authenticate a user in several ways:• First, the certificate represents the user’s

admittance voucher.• Second, the sever checks the timestamp on the

certificate to ensure that the certificate has not expired.

• Third, a server can use a callback system to check the user’s client computer address and name.

• An access control list (ACL) is a list or database of people who can access the files and resources.

46

Dial Back Modem

phonecompany

phonecompany

1

63

7 2

5

4

Jones 1111Smith 2222Olsen 3333Araha 4444

1) User calls computer.2) Modem answers.3) User enters name and password.4) Modem hangs up.5) Modem dials phone number in database.6) User machine answers.7) User gets access.

If hacker somehow gets name and password. Company modem will hang up and call back number in database, preventing hacker from accessing the computer.

47

User Identification• Passwords

– Dial up service found 30% of people used same word

– People choose obvious words

• Hints– Don’t use real words, personal names– Include non-alphabetic– Change often– Use at least 6 characters

48

• Alternatives: Biometrics– Finger/hand print– Voice recognition– Retina/blood vessels– Thermal

Biometrics

• Comments– Don’t have to remember– Reasonably accurate– Price is dropping– Nothing is perfect

49

Biometrics: Thermal

Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.

50

Firewalls• A firewall is a computer and software

combination that is installed at the entry point of a networked system.

• The firewall provides the first line of defense between a network and the Internet or other network that could pose a threat.

• Acting as a filter, firewalls permit selected messages to flow into and out of the protected network.

51

Types of Firewalls

• Packet-filter firewalls examine all the data flowing back and forth between the trusted network.

• Gateway servers are firewalls that filter traffic based on the application they request.

• Proxy severs are firewalls that communicate with the Internet on the private network’s behalf.

52

E-CommercePayment System

53

Learning Objectives

• The basic functions of payments systems that are used in electronic commerce

• The history and future of electronic cash• How electronic wallets work• The use of stored-value cards in

electronic commerce

54

Payment Cards• Payment cards are all types of plastic

cards that consumers use to make purchases:– Credit cards

• such as a Visa or a MasterCard, has a preset spending limit based on the user’s credit limit.

– Debit cards• removes the amount of the charge from the

cardholder’s account and transfers it to the seller’s bank.

– Charge cards • such as one from American Express, carries no

preset spending limit.

55

Advantages & Disadvantages

of Payment Cards• Advantages:

• Payment cards provide fraud protection.

• Worldwide acceptance.• Good for online transactions.

• Disadvantages:• Payment card service companies

charge merchants per-transaction fees and monthly processing fees.

56

Payment Acceptance and Processing

• Open and closed loop systems will accept and process payment cards.

• A merchant bank or acquiring bank is a bank that does business with merchants who want to accept payment cards.

• Software packaged with an electronic commerce software can handle payment card processing automatically.

57

Electronic Cash• Electronic cash is a general term that

describes the attempts of several companies to create a value storage and exchange system.

• Concerns about electronic payment methods include:

• Privacy• Security• Independence• Portability• Convenience

58

Electronic Cash• Electronic cash should have two important

characteristics in common with real currency:• It must be possible to spend electronic

cash only once.• Electronic cash ought to be anonymous.

• The most important characteristic of cash is convenience. If electronic cash requires special hardware or software, it will not be convenient for people to use.

59

Providing Security for Electronic Cash

• To prevent double spending, the main security feature is the threat of prosecution.

• A complicated two-part lock provides anonymous security that also signals when someone is attempting to double spend cash.

• One way to trace electronic cash is to attach a serial number to each electronic cash transaction.

60

Advantages of Electronic Cash

• Electronic cash transactions are more efficient and less costly than other methods.

• The distance that an electronic transaction must travel does not affect cost.

• The fixed cost of hardware to handle electronic cash is nearly zero.

• Electronic cash does not require that one party have any special authorization.

61

Disadvantages of Electronic Cash

• Electronic cash provides no audit trail.

• Because true electronic cash is not traceable, money laundering is a problem.

• Electronic cash is susceptible to forgery.

62

PayPal• PayPal.com is a free service that earns a profit

on the float, which is money that is deposited in PayPal accounts.

• The free payment clearing service that PayPal provides to individuals is called a peer-to-peer payment system.

• PayPal allows customers to send money instantly and securely to anyone with an e-mail address, including an online merchant.

63

Smart Card• A smart card is a plastic card with an embedded

microchip containing information about you.

• A smart card can store about 100 times the amount of information that a magnetic strip plastic card can store.

• A smart card contains private user information, such as financial facts, private encryption keys, account information, credit card numbers, health insurance information, etc.

64

Mondex Smart Card

• Mondex is a smart card that holds and dispenses electronic cash.

• Mondex requires special equipment, such as a ‘card reader’, to process.

• Containing a microcomputer chip, Mondex cards can accept electronic cash directly from a user’s bank account.

65

International, Legal, and Ethics Issues

66

Objectives• International E-commerce• Laws that govern E-commerce activities• Ethics issues that arise for companies

conducting E-commerce• Conflicts between a company’s desire

to collect and use data about their customers and the privacy rights of those customers

• Taxes that are levied on E-commerce

67

• Businesses engaging in electronic commerce must be aware of the differences in language and customs that make up the culture of any region in which they do business.

• The barriers to international electronic commerce include language, culture, and infrastructure issues.

International Nature of E-Commerce

68

Infrastructure Issues

• Internet infrastructure includes the computers and software connected to the Internet and the communications networks over which message packets travel.

• Regulations in some countries have inhibited the development of the telecommunications infrastructure or limited the expansion of that infrastructure.

69

Subject-Matter Jurisdiction• Subject-matter jurisdiction is a court’s

authority to decide a particular type of dispute.

– In the U.S., federal courts have subject-matter jurisdiction over issues governed by federal law.

– State courts have subject-matter jurisdiction over issues governed by state laws.

70

Personal Jurisdiction• Personal jurisdiction is determined by

the residence of the parties.

• Businesses should be aware of jurisdictional considerations when conducting electronic commerce over state and international lines.

71

Contracting and Contract Enforcement in E-Commerce

• Any contract includes three essential elements: an offer, an acceptance, and consideration.

• The contract is formed when one party accepts the offer of another party.

• Contracts are a key element of traditional business practice and they are equally important on the Internet; they can occur when parties exchange e-mail messages, engage in EDI, or fill out forms on Web pages.

72

Warranties on the Web• Any contract for the sale of goods includes

implied warranties.• Most firms conducting electronic commerce

have little trouble fulfilling warranties.• Sellers can avoid some implied warranty

liability by making a warranty disclaimer.• To be legally effective, the warranty

disclaimer must be stated obviously and must be easy for a buyer to find on the Web site.

73

Authority to Form Contracts

• A contract is formed when an offer is accepted for consideration.

• Problems can arise in electronic commerce since the online nature of acceptance can make it relatively easy for identity forgers to pose as others.

• Digital signatures, however, are an excellent way to establish identity in online transactions.

74

Web Site Content

• A number of other legal issues can arise regarding the Web page content of electronic commerce sites, including:• trademark infringement• deceptive trade practices• regulation of advertising claims• defamation

75

Copyright Infringement• A copyright is a right granted by a

government to the author or creator of a literary or artistic work.

• Creations that can be copyrighted include virtually all forms of artistic or intellectual expression: books, music, artworks, recordings (audio and video), architectural drawings, choreographic works, product packaging, and computer software.

76

Patent Infringement

• A patent is an exclusive right to make, use, and sell an invention that a government grants to the inventor.

• To be patentable, an invention must be genuine, novel, useful, and not obvious given the current state of technology.

77

Trademark Infringement

• The owners of registered trademarks have often invested and developed their trademarks.

• Web site designers must be very careful not to use any trademarked name, logo, or other identifying mark without permission.

78

Defamation

• A defamatory statement is a statement that is false and that injures the reputation of another person or company.

• If the statement injures the reputation of a product, it is called product disparagement.

79

Deceptive Trade Practices

• If the Web page objects being manipulated are trademarked, these manipulations can violate the trademark holder’s right.

• Trademark protection prevents another firm from using the same or a similar name, logo, or other identifying characteristic in a way that would cause confusion.

80

Web-based Crime, Terrorism,

and Warfare• Crimes on the Internet includes online

versions of crimes, including theft, stalking, distribution of pornography, and gambling.

• A considerable number of Web sites exist today that openly support or are operated by hate groups and terrorist organizations.

81

Ethical Issues

• Companies using Web sites to conduct E- commerce should adhere to the same ethical standards that other businesses follow.

• In general, advertising on the Web should include only true statements - Ethical considerations are important in determining advertising policy on the Web.