Chapter 19 Protecting E-Commerce systems
Dec 19, 2015
Chapter 19
Protecting E-Commerce systems
Is IT different?
There is some discussion that IT today is no different than past enabling technologiesTelegraphElectricityRailTV
Is IT becoming a commodity item?
Credit Cards
Used for payment on the netIn 70’s Mail Order Telephone Order
(MOTO)Retailer did not have card for inspection
Used expiration date as “password”Delivery to card holders addressLiability fully on the merchant
Forgery
SkimmingPassing card through other device to
capture dataCan catch by looking at where card used
Skimming IIDo not bill for merchandise, save data use
year later, no record of card being used at crooked merchant
Fraud detection
Anomaly detectionTravel patterns
Patterns of misuseProfilingBonuses for spotting fraud
Online more difficultBased on where transaction originated from
Online Credit Card Fraud
SSL makes you “feel” betterMost credit card theft not “in transit”
Visa guide http://usa.visa.com/download/business/accepting_visa/ops_risk_management/visa_risk_management_guide_ecommerce.pdf?it=search
One-time virtual card numbers http://www.citibank.com/us/cards/tour/cb/shp_van.htm
E-commerce site risks
Fraud ➔ ◆ Customer uses a stolen card or account number
to fraudulently purchase goods/services online. ◆ Family member uses bankcard to order
goods/services online, but has not been authorized to do so.
◆ Customer falsely claims that he or she did not receive a shipment.
◆ Hackers find their way into an e-commerce merchant’s payment processing system and then issue credits to hacker card account numbers.
E-commerce site risks
Account Information ➔ ◆ Hackers capture customer account data
during transmission Theft (Cyber-Thieves) to/from merchant.
◆ Hackers gain access to service provider’s unprotected payment processing systems and steal cardholder account data.
E-commerce site risks
Account Information ➔ ◆ Unauthorized individual accesses and steals
cardholder Theft (Physical Site) data stored at merchant or service provider site and fraudulently uses or sells it for unauthorized use or identity theft purposes.
◆ Unscrupulous merchant or service provider employee steals cardholder data and fraudulently uses or sells it for unauthorized use or identity theft purposes.
◆ Dumpster-divers steal unshredded account information from trash bins at merchant or service provider location.
E-commerce site risks
Customer Disputes and Charge backs ➔ ◆ Goods or services are not as described on the
Website. ◆ Customer is billed before goods/services are
shipped or delivered. ◆ Confusion and disagreement between customer
and merchant over return and refund. ◆ Customer is billed twice for the same order
and/or billed for an incorrect amount. ◆ Customer doesn’t recognize the merchant name
on statement because merchant uses a service provider to handle billing.
Proper site design
Credit card number only “exists” for a short period of time in an accessible location.
Use of data pumps can assure it doesn’t move out to accessible location.
http://www.securius.com/newsletters/Learn_to_Forget.html http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Industry_Letter_to_Merchants.pdf http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf
B2B systems
EDICommercial
Lack of legal documentsHealthcare
confidentiality
New techniques
Hard to introduceFor instance new payment methodMerchants need equipmentCustomers must generate demand
VHS verses Beta formatStudy of this in Metaverse (adopters)
IT Markets
Technology high fixed cost, low marginal cost
High costs to switch technologies leading to lock-in
Value of product depends on how many adopt it.
Other issues
Pricing Free limited version, basic service, gold premium
version Free ups number using it, others make money
Switching cost Monthly charges match hassle of changing
Trying to achieve monopolies Microsoft passport
XML makes comparison shopping BOTs easier to write
Special offers, errors spread rapidly
Specific Vulnerabilities Web
SQL Injection (covered) XSS (Cross Site Scripting)
Not really cross site Exploits of holes in site Similar in concept to SQL injection, but inserts
malicious code in variables http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://ha.ckers.org/xss.html
Articles
SSL articleMicrosoft Passport from business
perspective
Previous articles
Firewallhttp://en.wikipedia.org/wiki/Firewall_
%28networking%29http://www.firewall-software.com/
firewall_faqs/types_of_firewall.htmlhttp://www.vicomsoft.com/knowledge/pdfs/
firewall_qa.pdf
Previous articles
Passporthttp://blogs.zdnet.com/Bott/?p=30
Business “looks”http://www.ciphertrust.com/resources/article
s/articles/roi_4_intrusion.phphttp://news.com.com/Insecure+networks+co
uld+lead+to+lawsuits/2009-1033_3-940460.html
List of resources
Credit card fraudhttp://en.wikipedia.org/wiki/Credit_card_frau
dMOTO
http://www.e-com.sbdc.com.au/e-trade/four/4.htm
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/visa_risk_management_guide_ecommerce.pdf?it=search
List or Resources
Preventionhttp://www.citibank.com/us/cards/tour/cb/sh
p_van.htmFuzz testing
http://en.wikipedia.org/wiki/Fuzz_testing