Chapter

4
E-commerce Security

1
The six key issues to e-commerce security
 Integrity: ability to ensure that information being displayed
on a Web site or transmitted/received over the Internet has not
been altered in any way by an unauthorized party
 Non-repudiation: ability to ensure that e-commerce
participants do not deny (repudiate) online actions
 Authenticity: ability to identify the identity of a person or
entity with whom you are dealing on the Internet
 Confidentiality: ability to ensure that messages and data are
available only to those authorized to view them
 Privacy: ability to control use of information a customer
provides about himself or herself to merchant
 Availability: ability to ensure that an e-commerce site
continues to function as intended

Slide
5-2
Security Threats in the E-commerce
Environment
Three key points of vulnerability
Client
Server
Communications channel

Slide
5-3
Most common threats:

 Malicious code
 Hacking and cyber vandalism
 Credit card fraud /theft
 Spoofing
 Denial of service attacks
 Sniffing
 Insider jobs

Slide
5-4
Malicious Code
 Viruses: computer program that as ability to replicate and
spread to other files; include macro viruses, file-infecting
viruses and script viruses
 Worms: designed to spread from computer to computer
 Trojan horse: appears to be interesting application, but then
does something other than expected
 Bad applets (malicious mobile code): malicious Java
applets or ActiveX controls that may be downloaded onto
client and activated merely by surfing to a Web site.

Slide
5-5
 Hacking and Cyber vandalism

Hacker-is a person who has good knowledge about computers

and tries to open the data packets and steal the information
transmitted through the Internet.

Cracker-is someone who specifically breaks into computer

systems by bypassing or by guessing login passwords. These
persons enter into the network as authenticated users and can
cause any harm to the system.

Cyber vandalism-Intentionally disrupting, defacing or destroying

a Web site system flaws

Slide
5-6
 Types of hackers include:
White hats - Members of “tiger teams” used by corporate
security departments to test their own security measures
Black hats – Act with the intention of causing harm
Grey hats – Believe they are pursuing some greater good by
breaking in and revealing system flaws

Slide
5-7
Credit Card Fraud
 Fear that credit card information will be
stolen deters online purchases
 Hackers target credit card files and other
customer information files on merchant
servers; use stolen data to establish credit
under false identity
 One solution: New identity verification
mechanisms
Slide
5-8
 Spoofing, DoS and DDoS Attacks,
Sniffing, Insider Jobs
 Spoofing: Representing oneself by using fake e-mail addresses
or masquerading as someone else
 Denial of service (DoS) attack: Hackers flood Web site with
useless traffic to inundate and overwhelm network
 Distributed Denial of service (DDoS) attack: hackers use
numerous computers to attack target network from numerous
launch points
 Sniffing: type of eavesdropping program that monitors
information traveling over a network; enables hackers to steal
proprietary information from anywhere on a network
 Insider jobs : single largest financial threat

Slide 5-9
Technology Solutions
 Protecting Internet communications (encryption)
 Securing channels of communication (SSL, SHTTP,
VPNs)
 Protecting networks (firewalls)
 Protecting servers and clients

Slide 5-10
Tools Available to Achieve Site Security

Slide
5-11
 Protecting Internet Communications:
Encryption
 Encryption: The process of transforming plain text or
data into cipher text that cannot be read by anyone
other than the sender and receiver
 Purpose:
 Secure stored information
 Secure information transmission
 Provides:
 Message integrity
 Non repudiation
 Authentication
 Confidentiality
Slide
5-12
Message Encryption
Original Message Encrypted Message

13
 Symmetric Key Encryption
 Also known as secret key encryption
 Both the sender and receiver use the same
digital key to encrypt and decrypt message
 Requires a different set of keys for each
transaction
 Data Encryption Standard (DES): Most widely
used symmetric key encryption today; uses
56-bit encryption key; other types use 128-bit
keys up through 2048-bits

Slide
5-14
Public Key Encryption
 Public key cryptography solves symmetric key
encryption problem of having to exchange secret key
 Uses two mathematically related digital keys – public
key (widely disseminated) and private key (kept
secret by owner)
 Both keys are used to encrypt and decrypt message
 Once key is used to encrypt message, same key
cannot be used to decrypt message
 For example, sender uses recipient’s public key to
encrypt message; recipient uses his/her private key to
decrypt it
Slide
5-15
 Public Key Encryption using Digital
Signatures and Hash Digests

 Application of hash function (mathematical

algorithm) by sender prior to encryption
produces hash digest that recipient can use to
verify integrity of data
 Double encryption with sender’s private key
(digital signature) helps ensure authenticity
and no repudiation

Slide
5-16
Digital Envelopes
 Addresses weaknesses of public key encryption
(computationally slow, decreases transmission
speed, increases processing time) and symmetric
key encryption (faster, but more secure)
 Uses symmetric key encryption to encrypt
document but public key encryption to encrypt
and send symmetric key

Slide
5-17
Public Key Cryptography:
Creating a Digital Envelope

Slide
5-18
 Digital Certificates and Public Key
Infrastructure (PKI)
 Digital certificate: Digital document that includes:
 Name of subject or company
 Subject’s public key
 Digital certificate serial number
 Expiration date
 Issuance date
 Digital signature of certification authority (trusted third
party (institution) that issues certificate
 Other identifying information
 Public Key Infrastructure (PKI): refers to the CAs and
digital certificate procedures that are accepted by all
parties
Slide
5-19
 Limits to Encryption Solutions

 PKI applies mainly to protecting messages in

transit
 PKI is not effective against insiders
 Protection of private keys by individuals may
be haphazard
 No guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting
organizations.
Slide
5-20
Securing Channels of Communication
 Secure Sockets Layer (SSL): Most common form of
securing channels of communication; used to establish a
secure negotiated session (client-server session in which
URL of requested document, along with contents, is
encrypted)
 S-HTTP: Alternative method; provides a secure message-
oriented communications protocol designed for use in
conjunction with HTTP
 Virtual Private Networks (VPNs): Allow remote users
convey to securely access internal networks via the
Internet, using Point-to-Point Tunneling Protocol (PPTP)

Slide
5-21
Protecting Networks: Firewalls and
Proxy Servers
 Firewall: Software application that acts as a filter
between a company’s private network and the
Internet
 Firewall methods include:
 Packet filters
 Application gateways
 Proxy servers: Software servers that handle all
communications originating from for being sent to
the Internet (act as “spokesperson” or “bodyguard”
for the organization)
Slide
5-22
 Protecting Servers and Clients
Operating system controls:
Authentication and access control mechanisms

Anti-virus software:
Easiest and least expensive way to prevent threats
to system integrity

Slide
5-23