Chapter 19 Protecting E-Commerce systems. Is IT different? There is some discussion that IT today is no different than past enabling technologies Telegraph.

Chapter 19

Protecting E-Commerce systems

Is IT different?

There is some discussion that IT today is no different than past enabling technologiesTelegraphElectricityRailTV

Is IT becoming a commodity item?

Credit Cards

Used for payment on the netIn 70’s Mail Order Telephone Order

(MOTO)Retailer did not have card for inspection

Used expiration date as “password”Delivery to card holders addressLiability fully on the merchant

Forgery

SkimmingPassing card through other device to

capture dataCan catch by looking at where card used

Skimming IIDo not bill for merchandise, save data use

year later, no record of card being used at crooked merchant

Fraud detection

Anomaly detectionTravel patterns

Patterns of misuseProfilingBonuses for spotting fraud

Online more difficultBased on where transaction originated from

Online Credit Card Fraud

SSL makes you “feel” betterMost credit card theft not “in transit”

Visa guide http://usa.visa.com/download/business/accepting_visa/ops_risk_management/visa_risk_management_guide_ecommerce.pdf?it=search

One-time virtual card numbers http://www.citibank.com/us/cards/tour/cb/shp_van.htm

E-commerce site risks

Fraud ➔ ◆ Customer uses a stolen card or account number

to fraudulently purchase goods/services online. ◆ Family member uses bankcard to order

goods/services online, but has not been authorized to do so.

◆ Customer falsely claims that he or she did not receive a shipment.

◆ Hackers find their way into an e-commerce merchant’s payment processing system and then issue credits to hacker card account numbers.

E-commerce site risks

Account Information ➔ ◆ Hackers capture customer account data

during transmission Theft (Cyber-Thieves) to/from merchant.

◆ Hackers gain access to service provider’s unprotected payment processing systems and steal cardholder account data.

E-commerce site risks

Account Information ➔ ◆ Unauthorized individual accesses and steals

cardholder Theft (Physical Site) data stored at merchant or service provider site and fraudulently uses or sells it for unauthorized use or identity theft purposes.

◆ Unscrupulous merchant or service provider employee steals cardholder data and fraudulently uses or sells it for unauthorized use or identity theft purposes.

◆ Dumpster-divers steal unshredded account information from trash bins at merchant or service provider location.

E-commerce site risks

Customer Disputes and Charge backs ➔ ◆ Goods or services are not as described on the

Website. ◆ Customer is billed before goods/services are

shipped or delivered. ◆ Confusion and disagreement between customer

and merchant over return and refund. ◆ Customer is billed twice for the same order

and/or billed for an incorrect amount. ◆ Customer doesn’t recognize the merchant name

on statement because merchant uses a service provider to handle billing.

Proper site design

Credit card number only “exists” for a short period of time in an accessible location.

Use of data pumps can assure it doesn’t move out to accessible location.

http://www.securius.com/newsletters/Learn_to_Forget.html http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Industry_Letter_to_Merchants.pdf http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

B2B systems

EDICommercial

Lack of legal documentsHealthcare

confidentiality

New techniques

Hard to introduceFor instance new payment methodMerchants need equipmentCustomers must generate demand

VHS verses Beta formatStudy of this in Metaverse (adopters)

IT Markets

Technology high fixed cost, low marginal cost

High costs to switch technologies leading to lock-in

Value of product depends on how many adopt it.

Other issues

Pricing Free limited version, basic service, gold premium

version Free ups number using it, others make money

Switching cost Monthly charges match hassle of changing

Trying to achieve monopolies Microsoft passport

XML makes comparison shopping BOTs easier to write

Special offers, errors spread rapidly

Specific Vulnerabilities Web

SQL Injection (covered) XSS (Cross Site Scripting)

Not really cross site Exploits of holes in site Similar in concept to SQL injection, but inserts

malicious code in variables http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://ha.ckers.org/xss.html

Articles

SSL articleMicrosoft Passport from business

perspective

Previous articles

Firewallhttp://en.wikipedia.org/wiki/Firewall_

%28networking%29http://www.firewall-software.com/

firewall_faqs/types_of_firewall.htmlhttp://www.vicomsoft.com/knowledge/pdfs/

firewall_qa.pdf

Previous articles

Passporthttp://blogs.zdnet.com/Bott/?p=30

Business “looks”http://www.ciphertrust.com/resources/article

s/articles/roi_4_intrusion.phphttp://news.com.com/Insecure+networks+co

uld+lead+to+lawsuits/2009-1033_3-940460.html

List of resources

Credit card fraudhttp://en.wikipedia.org/wiki/Credit_card_frau

dMOTO

http://www.e-com.sbdc.com.au/e-trade/four/4.htm

http://usa.visa.com/download/business/accepting_visa/ops_risk_management/visa_risk_management_guide_ecommerce.pdf?it=search

List or Resources

Preventionhttp://www.citibank.com/us/cards/tour/cb/sh

p_van.htmFuzz testing

http://en.wikipedia.org/wiki/Fuzz_testing