8/7/2019 Security of Online Transactions
1/46
Online Credit Cards Transactions
Online Shopping
Electronic Business
Automatic Teller Machines
L1F09MSCS0023
Sumaira Anwar
8/7/2019 Security of Online Transactions
2/46
Over t e years, redit ards ave becomeoneof
t emost commonforms of ayment for online
transactions
8/7/2019 Security of Online Transactions
3/46
1. transaction begins enacredit cardaccount number is enteredinto t e systemmanually by eit er t emerchant or thecardholder.
his enters the transaction information into the Processors net ork.
. n uthorization Request is generated.
. he Processor links up ith the Visa/Master ardnet ork inorder
to transmit the uthorization Request to the Issuing anks computernet ork.
4. he Issuing ank verifies that avalidcredit cardnumber has beenreceivedand that the ardholder has enoughmoney available tofundthe transaction.
5. hold for that amount is placedagainst the ardholders Openo uy thereby reducing theamount ofhis or her Open o uy for
future transactions.
6.Once theapproval is receiveda Deposit ransaction istransmitted hichfinalizes the transaction. hemerchant thenreleases the items purchased by the ardholder.
7. he Net Settlement mount is deposited to theMerchants accountusually by theendof the same business day.
8/7/2019 Security of Online Transactions
4/46
First Virtual as oneof thefirst Internet payment systems to beavailable to thepublic, becomingfully operational inOctober of1994. maingoal of this company as tocreatean Internet paymentsystem that as easy touse. Neither buyers nor sellers are requiredto install new software, (thoughautomated saleprocessing softwareis available). If youhaveaccess to Internet email, youcan sell or buy
over the Internet using theFirst Virtual System
.
heFirst Virtual payment system is unique in that it does not useencryption. fundamental philosophy of their payment system is thatcertain information shouldnot travel over the Internet because it isanopennetwork. his includes credit cardnumbers. Insteadofusingcredit cardnumbers, transactions aredoneusingaFirst VirtualPINwhich references the buyer's First Virtual account. hese PIN
numbers can be sent over the Internet becauseeven if they areintercepted, they cannot beused tochargepurchases to the buyer'saccount. person's account is never chargedwithout emailverificationfrom themaccepting thecharge.
8/7/2019 Security of Online Transactions
5/46
8/7/2019 Security of Online Transactions
6/46
CyberCashhas been servicingcredit card transactions over theInternet since pril 1995. It has strong ties to thecurrent credit cardprocessing infrastructure, through ill Melton, afounder of Verifone,as oneof its fathers. heuseof their payment systemhas grown
tremendously over a year.CyberCashclaims that they processthousands of transactions aday, they can sendpayment transactionsto 8 % of the banks in merica, and tohavedistributedover 4 ,copies ofCyberCash Wallet software to buyers whouse their system.
It is important tonote that CyberCash is not acredit cardprocessingcompany. UnlikeFirst Virtual, they donot transfer funds into themerchant's account.CyberCash sells safepassageover the Internetfor credit card transactiondata. hey take thedata that is sent tothemfrom themerchant, andpass it to themerchant's acquiringbank for processing. xcept for dealingwith themerchant throughCyberCash's server, theacquiring bank processes thecredit cardtransactionas they wouldprocess transactions received throughapoint of sale (POS) terminal ina retail store.
8/7/2019 Security of Online Transactions
7/46
8/7/2019 Security of Online Transactions
8/46
Secure Electronic Transactions (SET) is an open protocol whichhas the potential to emerge as a dominant force in the securing ofelectronic transactions. Jointly developed by Visa andMasterCard,SET is an open standard for protecting the privacy, and
ensuring the authenticity, of electronic transactions. withoutprivacy, consumer protection cannot be guaranteed, and withoutauthentication, neither the merchant nor the consumer can be surethat valid transactions are being made.
The S Tprotocol relies on twodifferent encryptionmechanisms, aswell as anauthenticationmechanism. S Tuses symmetricencryption, in theformof the Data ncryption Standard (D S), as
well as asymmetric, or public-key, encryption to transmit sessionkeys for D S transactions
In the S Tprotocol, twodifferent encryptionalgorithms areused D S and RS .
8/7/2019 Security of Online Transactions
9/46
Authentication is an important issue.Consumers musthavefaith in theauthenticity of themerchant, andmerchants must havefaith in theauthenticity of theconsumer.Authentication is critical toachieving trust inelectroniccommerce.
Authentication is achieved through theuseofdigitalsignatures. Usingahashingalgorithm, S Tcan signatransactionusing the senders private key.Thisproduces a small messagedigest, which is a series ofvalues that "sign" amessage. y comparing thetransactionmessageand themessagedigest, alongwith
the senders public key, theauthenticity of thetransactioncan beverified. Digital signatures areaimedat achieving the same level of trust as awrittensignaturehas in real life.This helps achievenon-repudiation, as theconsumer cannot later establishthat themessagewasn't sent usinghis private key.
8/7/2019 Security of Online Transactions
10/46
8/7/2019 Security of Online Transactions
11/46
Credit Card Fraud Payment
Theuseofcredit cardwith the increase inelectroniccommerceon the Internet for thepurchasehas becomeconvenient andnecessary. However, frauds incredit cardpayments arealsoon the increase, which is aworrying trend.
Thecredit card transactionprovides moreopportunities forthieves to steal credit cardnumbers andcommit fraud. Dueto thefraud thegenuinecustomer incurs loss ofmoney.Proactive business owners are seizedwith this problemandareactively educating their customers oncardcredit detectionfraudpayment.
Thecredit cardfraud is oneof themajor risks that arefacedby businesses nowdays.The recent survey says that there isincrease inonlinecrimeor the Internet fraud.Thehardest hitsare themid sizeand the lower sizecompanies that have lostover .5 % ofonline sales due tofraud.
8/7/2019 Security of Online Transactions
12/46
8/7/2019 Security of Online Transactions
13/46
Thefraudpayment can beeasily detected by
the recent improvements in theelectronics
commerce.Thus thanks to the increased
sophisticated encryption systems
verification services
transactionprocessing technology.
8/7/2019 Security of Online Transactions
14/46
8/7/2019 Security of Online Transactions
15/46
Address Verification Service
The AVS, or address verification service, is
used todetermine that theaddress providedby acustomer matches theaddress
associatedwithacredit cardaccount.
8/7/2019 Security of Online Transactions
16/46
Card Verification Value
The CVV, or cardverificationvalue, sometimes referred
toas theCVV-2 is a three tofour digit number foundon
the back of , MasterCardand Visacards. Its on thecardbut not onany statements, so that ifan individual has
foundacredit card statement in the trash, they arent
able tocompletea sale that requires theCVV codefor
verificationpurposes. Knowing theCVV usually means that
thecardholder is inphysical possessionof thecredit card
andnot just usinga stolennumber that they got from
somewhere.
8/7/2019 Security of Online Transactions
17/46
Online shopping is theprocess whereby consumers
directly buy goods or services froma seller in real-time,
without an intermediary service, over the Internet. Ifanintermediary service is present theprocess is called
electroniccommerce.
8/7/2019 Security of Online Transactions
18/46
ConvenienceOnline stores areusually available24 hours aday, andmany consumers
have Internet access bothat work andat home.
Informationand reviewsOnline stores must describeproducts for salewith text, photos, and
multimediafiles
Priceand selectionOneadvantageof shoppingonline is beingable toquickly seek out deals
for items or services withmany different vendors and youcanmake
onlinepricecomparisons.
8/7/2019 Security of Online Transactions
19/46
Fraudand security concerns
Given the lack ofability to inspect
merchandise beforepurchase, consumers are
at higher risk offraudon thepart of themerchant than inaphysical store.
Merchants also risk fraudulent purchases
using stolencredit cards or fraudulent
repudiationof theonlinepurchase.
8/7/2019 Security of Online Transactions
20/46
Identity theft is still aconcernfor consumers
whenhackers break intoamerchant's web
siteand steal names, addresses andcredit
cardnumbers.
8/7/2019 Security of Online Transactions
21/46
y Use identity theft protection services and keepcriminals away from sending you intofinancialruin.
y LifeLock
y ProtectMyIDy ID NTITY GUARD
y TrustedID
y IdentityTruth
y Debix
y ID Watchdog
y Equifax ID Patrol
y Intelius IDWatch
y IDarmor
8/7/2019 Security of Online Transactions
22/46
Phishing is another danger, whereconsumers
arefooled into thinking they aredealingwith
a reputable retailer, when they haveactually
beenmanipulated intofeedingprivateinformation toa systemoperated by a
malicious party. Denial of serviceattacks are
aminor risk for merchants, as are server and
network outages.
8/7/2019 Security of Online Transactions
23/46
8/7/2019 Security of Online Transactions
24/46
y A solution tophishingattacks ofany kind is purchase'password-protection software.' Software likeRoboForm stores all your login informationon yourcomputer, inafileprotected by amaster password.Once you log in to RoboForm, it takes oneclick to log
in toapassword-protectedwebsite.The softwaregenerates them randomly and youcan becertain youhaveadifferent passwordfor every site.
Looks likewhile tabnabbing can beexploited byhackers, therearepreventativeforces at work to
catch them before they can take tabnabbing toanother level. Now, that's the kindofpreemptivestrike that works inour favor - catching thephisherbeforehecatches you!
8/7/2019 Security of Online Transactions
25/46
Stickingwith known stores, or attempting tofind independentconsumer reviews of their experiences; alsoensuring thatthere is comprehensivecontact informationon thewebsitebeforeusing the service, andnoting if the retailer hasenrolled in industry oversight programs suchas trust mark ortrust seal.
efore buyingfromanewcompany, evaluate thewebsite byconsidering issues suchas: theprofessionalismanduser-friendliness of the site; whether or not thecompany lists atelephonenumber and/or street address alongwithe-contactinformation; whether afair and reasonable refundand returnpolicy is clearly stated; andwhether therearehiddenpriceinflators, suchas excessive shippingandhandlingcharges.
Ensuring that the retailer has anacceptableprivacy policyposted.For examplenote if the retailer does not explicitlystate that it will not shareprivate informationwithotherswithout consent.
8/7/2019 Security of Online Transactions
26/46
Electronic business
Themost basicdefinitionofe-business is
simply this: using the internet toconnectwithcustomers, partners, and suppliers.
Toengage ine-business, companies need to
beable tounlock data in their back-end
computer systems, so they can shareinformationandconduct electronic
transactions withcustomers, partners, and
suppliers via the internet.
8/7/2019 Security of Online Transactions
27/46
8/7/2019 Security of Online Transactions
28/46
E-Business systems naturally havegreatersecurity risks than traditional businesssystems, therefore it is important for e-business systems to befully protectedagainst these risks.Afar greater number ofpeoplehaveaccess toe-businesses throughthe internet thanwouldhaveaccess toatraditional business.Customers, suppliers,
employees, andnumerous other peopleuseany particular e-business systemdaily andexpect their confidential information to staysecure.
8/7/2019 Security of Online Transactions
29/46
Privacy andconfidentiality
Authenticity
Data integrity
Non-repudiation
Access control
Availability
8/7/2019 Security of Online Transactions
30/46
Many different forms of security exist for e-
businesses. Somegeneral security guidelines
includeareas inphysical security, data storage,
data transmission, applicationdevelopment, and
systemadministration.
8/7/2019 Security of Online Transactions
31/46
Despitee-business being business doneonline, thereare still physical securitymeasures that can be taken toprotect thebusiness as awhole.Even though business isdoneonline, the building that houses theservers andcomputers must beprotectedandhave limitedaccess toemployees andother persons.For example, this room should
only allowauthorizedusers toenter, andshouldensure that windows, droppedceilings, largeair ducts, and raisedfloors donot alloweasy access tounauthorizedpersons
8/7/2019 Security of Online Transactions
32/46
Storingdata ina securemanner is very
important toall businesses, but especially to
e-businesses wheremost of thedata is stored
inanelectronicmanner. Data that isconfidential shouldnot be storedon thee-
business' server, but insteadmoved to
another physical machine to be stored. If
possible this machine shouldnot bedirectly
connected to the internet, and shouldalso
be stored ina safe location.The information
should be stored inanencryptedformat
8/7/2019 Security of Online Transactions
33/46
All sensitive information being transmittedshould beencrypted.Businesses canopt torefuseclients whocan't accept this level ofencryption.Confidential and sensitiveinformation shouldalsonever be sentthroughe-mail. If it must be, then it shouldalso beencrypted.
Transferringanddisplaying secureinformation should be kept toaminimum.This can bedone by never displayingafullcredit cardnumber for example.
8/7/2019 Security of Online Transactions
34/46
Security ondefault operating systems shouldbe increased immediately.All systemconfigurationchanges should be kept ina logandpromptly updated.
Systemadministrators should keepwatchforsuspicious activity within the business byinspecting logfiles and researching repeatedlogonfailures.They canalsoaudit their e-business systemand look for any holes in the
security measures.It is important tomakesureplans for security are inplace but also
to test the security measures tomake surethey actually work.
8/7/2019 Security of Online Transactions
35/46
When it comes to security solutions, there
are somemaingoals that are to bemet.
Thesegoals aredata integrity, strong
authentication, andprivacy.
8/7/2019 Security of Online Transactions
36/46
Toprotect themselves against attacks, organizations have
traditionally implementedavariety of technologies at thenetwork
boundary.These include:
Firewalls
aimedat excludingattackers by admittingonly certain types of
network traffic
Intrusion detection systems
that monitor thenetwork or specific resources for anomalies such
as thepresenceofunauthorized traffic
Filtersto removeviruses before they spread to thousands ofdesktops
Encryption
transforming texts or messages intoacodewhich is unreadable.
8/7/2019 Security of Online Transactions
37/46
Digital certificates
Thepoint ofadigital certificate is to identify theowner ofadocument.This way the receiver knows thatit is anauthenticdocument.
Digital signaturesIfadocument has adigital signatureon it, no
oneelse is able toedit the informationwithoutbeingdetected.
Inorder touseadigital signature, onemust useacombinationofcryptography andamessagedigest
8/7/2019 Security of Online Transactions
38/46
8/7/2019 Security of Online Transactions
39/46
8/7/2019 Security of Online Transactions
40/46
Security,as it relates toATMs, has several
dimensions.ATMs alsoprovideapractical
demonstrationofanumber of security
systems andconcepts operating together andhowvarious security concerns aredealt with.
8/7/2019 Security of Online Transactions
41/46
Early ATM security focusedonmaking the
ATMs invulnerable tophysical attack; they
wereeffectively safes withdispenser
mechanisms.Anumber ofattacks on
ATMsresulted, with thieves attempting to steal
entireATMs
8/7/2019 Security of Online Transactions
42/46
Another attack method, plofkraak, is to seal
all openings of theATMwith siliconeandfill
thevault withacombustiblegas or toplace
anexplosive inside, attached, or near theATM.This gas or explosive is ignitedand the
vault is openedor distorted by theforceof
the resultingexplosionand thecriminals can
break in.
8/7/2019 Security of Online Transactions
43/46
The security ofATM transactions relies
mostly on the integrity of the secure
cryptoprocessor: theATMoftenuses
commodity components that arenotconsidered to be "trusted systems".
Encryptionofpersonal information, required
by law inmany jurisdictions, is used to
prevent fraud.
Sensitivedata inAT
Mtransactions areusually encryptedwith DES,
but transactionprocessors nowusually
require theuseofTriple DES
8/7/2019 Security of Online Transactions
44/46
MessageAuthenticationCode (MAC)or Partial
MACmay also beused toensuremessages
havenot been tamperedwithwhile in transit
between theAT
Mand thefinancial network.
8/7/2019 Security of Online Transactions
45/46
Therehavealso beenanumber of incidents
offraud by Man-in-the-middleattacks, where
criminals haveattachedfake keypads or card
readers toexistingmachines.T
hesehavethen beenused to recordcustomers' PINs and
bank card information inorder togain
unauthorizedaccess to their accounts.
Various ATMmanufacturers haveput inplace
countermeasures toprotect theequipment
they manufacturefrom these threats
8/7/2019 Security of Online Transactions
46/46
Openings on thecustomer-sideofATMs areoftencovered by mechanical shutters toprevent tamperingwith themechanisms when they arenot inuse.Alarmsensors areplaced inside theATMand inATM servicingareas toalert their operators whendoors have been
opened by unauthorizedpersonnel. Rules areusually set by thegovernment or ATM
operating body that dictatewhat happens whenintegrity systems fail. Dependingon thejurisdiction, abank may or may not be liablewhenanattempt is
made todispenseacustomer's money fromanAT
Mandthemoney either gets outsideof theATM's vault, or wasexposed inanon-securefashion, or they areunable todetermine the stateof themoney after afailedtransaction.