Bài giảng E-commerce business, technology, society - Chapter 5: Online Security and Payment Systems

E-commerce Kenneth C. LaudonCarol Guercio Traverbusiness. technology. society.seventh editionCopyright © 2011 Pearson Education, Inc.Copyright © 2011 Pearson Education, Inc.Copyright © 2010 Pearson Education, Inc.Slide 5-*Chapter 5Online Security and Payment SystemsCopyright © 2011 Pearson Education, Inc.Copyright © 2011 Pearson Education, Inc.Cyberwar: Mutually Assured Destruction 2.0Class DiscussionWhat is the difference between hacking and cyberwar? Why has cyberwar become more potentially devastating in the past decade?What percentage of computers have been compromised by stealth malware programs?Will a political solution to MAD 2.0 be effective enough?Slide 5-*Copyright © 2011 Pearson Education, Inc.The E-commerce Security EnvironmentOverall size and losses of cybercrime unclearReporting issues2009 CSI survey: 49% of respondent firms detected security breach in last yearOf those that shared numbers, average loss $288,000Underground economy marketplace:Stolen information stored on underground economy serversSlide 5-*Copyright © 2011 Pearson Education, Inc.Types of Attacks Against ComputerSystems (Cybercrime)Slide 5-*Figure 5.1, Page 266SOURCE: Based on data from Computer Security Institute, 2009Copyright © 2011 Pearson Education, Inc.What Is Good E-commerce Security?To achieve highest degree of securityNew technologiesOrganizational policies and proceduresIndustry standards and government lawsOther factorsTime value of moneyCost of security vs. potential lossSecurity often breaks at weakest linkSlide 5-*Copyright © 2011 Pearson Education, Inc.The E-commerce Security EnvironmentFigure 5.2, Page 269Slide 5-*Copyright © 2011 Pearson Education, Inc.Table 5.2, Page 270Slide 5-*Copyright © 2011 Pearson Education, Inc.The Tension Between Security and Other ValuesEase of use:The more security measures added, the more difficult a site is to use, and the slower it becomesPublic safety and criminal uses of the InternetUse of technology by criminals to plan crimes or threaten nation-stateSlide 5-*Copyright © 2011 Pearson Education, Inc.Security Threats in the E-commerce EnvironmentThree key points of vulnerability:Internet communications channelsServer levelClient levelSlide 5-*Copyright © 2011 Pearson Education, Inc.A Typical E-commerce TransactionFigure 5.3, Page 273Slide 5-*SOURCE: Boncella, 2000.Copyright © 2011 Pearson Education, Inc.Vulnerable Points in an E-commerce EnvironmentFigure 5.4, Page 274Slide 5-*SOURCE: Boncella, 2000.Copyright © 2011 Pearson Education, Inc.Most Common Security Threats in the E-commerce EnvironmentMalicious codeVirusesWormsTrojan horsesBots, botnetsUnwanted programs Browser parasitesAdwareSpywareSlide 5-*Copyright © 2011 Pearson Education, Inc.Most Common Security Threats (cont.)PhishingDeceptive online attempt to obtain confidential informationSocial engineering, e-mail scams, spoofing legitimate Web sitesUse of information to commit fraudulent acts (access checking accounts), steal identityHacking and cybervandalismHackers vs. crackersCybervandalism: Intentionally disrupting, defacing, destroying Web siteTypes of hackers: White hats, black hats, grey hatsSlide 5-*Copyright © 2011 Pearson Education, Inc.Most Common Security Threats (cont.)Credit card fraud/theftHackers target merchant servers; use data to establish credit under false identitySpoofingPharmingSpam/junk Web sitesDenial of service (DoS) attackHackers flood site with useless traffic to overwhelm networkDistributed denial of service (DDoS) attackSlide 5-*Copyright © 2011 Pearson Education, Inc.Most Common Security Threats (cont.)SniffingEavesdropping program that monitors information traveling over a networkInsider jobsSingle largest financial threatPoorly designed server and client softwareMobile platform threatsSame risks as any Internet deviceMalware, botnets, vishing/smishingSlide 5-*Copyright © 2011 Pearson Education, Inc.Technology SolutionsProtecting Internet communications (encryption)Securing channels of communication (SSL, S-HTTP, VPNs)Protecting networks (firewalls)Protecting servers and clients Slide 5-*Copyright © 2011 Pearson Education, Inc.Tools Available to Achieve Site SecurityFigure 5.7, Page 287Slide 5-*Copyright © 2011 Pearson Education, Inc.EncryptionEncryptionTransforms data into cipher text readable only by sender and receiverSecures stored information and information transmissionProvides 4 of 6 key dimensions of e-commerce security: Message integrityNonrepudiationAuthenticationConfidentialitySlide 5-*Copyright © 2011 Pearson Education, Inc.Symmetric Key EncryptionSender and receiver use same digital key to encrypt and decrypt messageRequires different set of keys for each transactionStrength of encryption Length of binary key used to encrypt dataAdvanced Encryption Standard (AES)Most widely used symmetric key encryptionUses 128-, 192-, and 256-bit encryption keysOther standards use keys with up to 2,048 bitsSlide 5-*Copyright © 2011 Pearson Education, Inc.Public Key EncryptionUses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)Both keys used to encrypt and decrypt messageOnce key used to encrypt message, same key cannot be used to decrypt messageSender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt itSlide 5-*Copyright © 2011 Pearson Education, Inc.Public Key Cryptography – A Simple CaseFigure 5.8, Page 289Slide 5-*Copyright © 2011 Pearson Education, Inc.Public Key Encryption using Digital Signatures and Hash DigestsHash function:Mathematical algorithm that produces fixed-length number called message or hash digestHash digest of message sent to recipient along with message to verify integrityHash digest and message encrypted with recipient’s public keyEntire cipher text then encrypted with recipient’s private key – creating digital signature – for authenticity, nonrepudiation Slide 5-*Copyright © 2011 Pearson Education, Inc.Public Key Cryptography with Digital SignaturesFigure 5.9, Page 291Slide 5-*Copyright © 2011 Pearson Education, Inc.Digital EnvelopesAddress weaknesses of:Public key encryptionComputationally slow, decreased transmission speed, increased processing timeSymmetric key encryptionInsecure transmission linesUses symmetric key encryption to encrypt document Uses public key encryption to encrypt and send symmetric keySlide 5-*Copyright © 2011 Pearson Education, Inc.Creating a Digital EnvelopeFigure 5.10, Page 292Slide 5-*Copyright © 2011 Pearson Education, Inc.Digital Certificates and Public Key Infrastructure (PKI)Digital certificate includes:Name of subject/companySubject’s public keyDigital certificate serial numberExpiration date, issuance dateDigital signature of CAPublic Key Infrastructure (PKI): CAs and digital certificate proceduresPGPSlide 5-*Copyright © 2011 Pearson Education, Inc.Digital Certificates and Certification AuthoritiesFigure 5.11, Page 294Slide 5-*Copyright © 2011 Pearson Education, Inc.Limits to Encryption SolutionsDoesn’t protect storage of private keyPKI not effective against insiders, employeesProtection of private keys by individuals may be haphazardNo guarantee that verifying computer of merchant is secureCAs are unregulated, self-selecting organizationsSlide 5-*Copyright © 2011 Pearson Education, Inc.Insight on SocietyWeb Dogs and AnonymityClass DiscussionWhat are some of the benefits of continuing the anonymity of the Internet?What are the disadvantages of an identity system?Are there advantages to an identity system beyond security?Who should control a central identity system?Slide 5-*Copyright © 2011 Pearson Education, Inc.Securing Channels of CommunicationSecure Sockets Layer (SSL): Establishes a secure, negotiated client-server session in which URL of requested document, along with contents, is encryptedS-HTTP: Provides a secure message-oriented communications protocol designed for use in conjunction with HTTPVirtual Private Network (VPN): Allows remote users to securely access internal network via the Internet, using Point-to-Point Tunneling Protocol (PPTP)Slide 5-*Copyright © 2011 Pearson Education, Inc.Secure Negotiated Sessions Using SSLFigure 5.12, Page 298Slide 5-*Copyright © 2011 Pearson Education, Inc.Protecting NetworksFirewallHardware or softwareUses security policy to filter packetsTwo main methods:Packet filtersApplication gatewaysProxy servers (proxies)Software servers that handle all communications originating from or being sent to the InternetSlide 5-*Copyright © 2011 Pearson Education, Inc.Firewalls and Proxy ServersFigure 5.13, Page 301Slide 5-*Copyright © 2011 Pearson Education, Inc.Protecting Servers and ClientsOperating system security enhancementsUpgrades, patchesAnti-virus software: Easiest and least expensive way to prevent threats to system integrityRequires daily updatesSlide 5-*Copyright © 2011 Pearson Education, Inc.Management Policies, Business Procedures, and Public LawsU.S. firms and organizations spend 12% of IT budget on security hardware, software, services ($120 billion in 2009)Managing risk includesTechnologyEffective management policiesPublic laws and active enforcementSlide 5-*Copyright © 2011 Pearson Education, Inc.A Security Plan: Management PoliciesRisk assessmentSecurity policyImplementation planSecurity organizationAccess controlsAuthentication procedures, inc. biometricsAuthorization policies, authorization management systemsSecurity auditSlide 5-*Copyright © 2011 Pearson Education, Inc.Developing an E-commerce Security PlanSlide 5-*Figure 5.14, Page 303Copyright © 2011 Pearson Education, Inc.The Role of Laws and Public PolicyLaws that give authorities tools for identifying, tracing, prosecuting cybercriminals:National Information Infrastructure Protection Act of 1996USA Patriot ActHomeland Security ActPrivate and private-public cooperationCERT Coordination CenterUS-CERTGovernment policies and controls on encryption softwareOECD guidelinesSlide 5-*Copyright © 2011 Pearson Education, Inc.Insight on TechnologyThink Your Smartphone Is Secure?Class DiscussionWhat types of threats do smartphones face?Are there any particular vulnerabilities to this type of device?What did Nicolas Seriot’s “Spyphone” prove?Are apps more or less likely to be subject to threats than traditional PC software programs?Slide 5-*Copyright © 2011 Pearson Education, Inc.Types of Payment SystemsCashMost common form of payment in terms of number of transactionsInstantly convertible into other forms of value without intermediationChecking TransferSecond most common payment form in U.S. in terms of number of transactionsCredit CardCredit card associationsIssuing banksProcessing centersSlide 5-*Copyright © 2011 Pearson Education, Inc.Types of Payment Systems (cont.)Stored ValueFunds deposited into account, from which funds are paid out or withdrawn as needed, e.g. debit cards, gift certificatesPeer-to-peer payment systemsAccumulating BalanceAccounts that accumulate expenditures and to which consumers make period paymentse.g. Utility, phone, American Express accountsSlide 5-*Copyright © 2011 Pearson Education, Inc.Table 5.6, Page 312Slide 5-*Copyright © 2011 Pearson Education, Inc.E-commerce Payment SystemsCredit cards55 % of online payments in 2009 (U.S.)Debit cards28 % online payments in 2009 (U.S.)Limitations of online credit card paymentSecurityCostSocial equitySlide 5-*Copyright © 2011 Pearson Education, Inc.How an Online Credit Transaction WorksFigure 5.16, Page 315Slide 5-*Copyright © 2011 Pearson Education, Inc.E-commerce Payment Systems (cont.)Digital walletsEmulates functionality of wallet by authenticating consumer, storing and transferring value, and securing payment process from consumer to merchantEarly efforts to popularize failedNewest effort: Google CheckoutDigital cashValue storage and exchange using tokens Most early examples have disappeared; protocols and practices too complexSlide 5-*Copyright © 2011 Pearson Education, Inc.E-commerce Payment Systems (cont.)Online stored value systemsBased on value stored in a consumer’s bank, checking, or credit card accountPayPal, smart cardsDigital accumulated balance paymentUsers accumulate a debit balance for which they are billed at the end of the monthDigital checking:Extends functionality of existing checking accounts for use onlineSlide 5-*Copyright © 2011 Pearson Education, Inc.Mobile Payment SystemsUse of mobile handsets as payment devices well-established in Europe, Japan, South KoreaJapanese mobile payment systemsE-money (stored value)Mobile debit cardsMobile credit cardsNot as well established yet in U.SMajority of purchases are digital content for use on cell phoneSlide 5-*Copyright © 2011 Pearson Education, Inc.Insight on BusinessMobile Payment’s Future: Wavepayme, TextpaymeGroup DiscussionWhat technologies make mobile payment more feasible now than in the past?Describe some new experiments that are helping to develop mobile payment systems.How has PayPal responded?Why haven’t mobile payment systems grown faster? What factors will spur their growth?Slide 5-*Copyright © 2011 Pearson Education, Inc.Electronic Billing Presentment and Payment (EBPP)Online payment systems for monthly bills65% + of households in 2010 used some EBPP; expected to continue to growTwo competing EBPP business models:Biller-direct (dominant model)ConsolidatorBoth models are supported by EBPP infrastructure providersSlide 5-*Copyright © 2011 Pearson Education, Inc.All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.Copyright © 2011 Pearson Education, Inc.  Publishing as Prentice HallCopyright © 2011 Pearson Education, Inc.