Electronic commerce security
1 / 51

Electronic Commerce Security - PowerPoint PPT Presentation

  • Uploaded on

Electronic Commerce Security. Introduction. Why Internet security? The explosion of e-business and e-commerce pushing both consumers and businesses to focus on security issues Security becomes even more critical as clients surrender personal information to Web sites

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Electronic Commerce Security' - mabyn

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Electronic commerce security





Why Internet security?

  • The explosion of e-business and e-commerce pushing both consumers and businesses to focus on security issues

  • Security becomes even more critical as clients surrender personal information to Web sites

    • Social security details

    • Credit card details

  • Companies sending confidential info via Internet

  • Security attacks are on the rise on the Internet

JER 29:11

Security issues
Security Issues

  • From the user’s perspective:

    • Is the Web server owned and operated by a legitimate company?

    • Does the Web page and form contain some malicious or dangerous code or content?

    • Will the Web server distribute unauthorized information the user provides to some other party?

JER 29:11

Security issues cont
Security Issues (cont.)

  • From the company’s perspective:

    • Will the user not attempt to break into the Web server or alter the pages and content at the site?

    • Will the user will try to disrupt the server so that it isn’t available to others?

JER 29:11

Security issues cont1
Security Issues (cont.)

  • From both parties’ perspectives:

    • Is the network connection free from eavesdropping by a third party “listening” on the line?

    • Has the information sent back and forth between the server and the user’s browser been altered?

JER 29:11

The four security objectives pain
The four security objectives (PAIN)

  • Privacy—Info transmitted via the Internet is not captured or passed on to a third party

  • Authentication—making sure both the sender and the receiver can prove their identities to each other

  • Integrity—Info sent and received on the Internet is not altered or compromised in an unauthorized or accidental manner

  • Non-repudiation—proving legally that the message was sent or received

JER 29:11

Related security objective
Related Security objective

  • Availability—ensuring that legitimate users are not unduly denied access to resources—computing, information and communications resources

  • S-business—secure business is the process of ensuring secure networks and secure electronic transactions

  • Auditing—collecting info about attempts to access particular resources, use particular privileges, or perform other security actions and finding preventive solutions to these threats

JER 29:11

Requirements for secure electronic commerce
Requirements for Secure Electronic Commerce

JER 29:11

How to achieve the pain objective
How to achieve the PAIN objective

Three ways to attain PAIN by securing transactions from start to end, that is, at

  • The client computers

  • Communication channels between computers

  • Server computers

JER 29:11

Supportive security measures
Supportive security measures

  • Physical security—door locks, guards, guns, multi-tier building access controls, tamper-proofing of equipment

  • Personnel security—such as employee screening and awareness, education, and training programs

  • Administrative security—such as security audit, accountability controls, and incident response planning

JER 29:11

Threats and attacks
Threats and attacks

  • Threat

    • Any act or object that poses a danger to computer assets

    • masquerade: An intruder pretends to be a legitimate user.

    • Sniffing: Learning passwords by observing passing traffic on a LAN

    • Password cracking: Using a computer to exhaustively guess passwords until the correct one is found

    • Trashing: Learning secrets such as passwords from a victim’s rubbish

JER 29:11

  • Social engineering: Fooling an authorized person into disclosing account or password details in a telephone call

  • Shoulder surfing: Looking over someone’s shoulder while they type in a password.

  • System penetration: An unauthorized person gains access to a computer system and modifies system or application files, steals confidential information, or illegitimately uses resources.

JER 29:11

Non electronic security services

Security Service

Non-electronic Mechanism


Photo identification card, knowledge of mothers middle name

Access Control

Locks and keys, master key system, checkpoint guard


Sealed letter, opaque envelope, invisible ink


Indelible ink


Notarised signature, certified or registered mail

Non-electronic Security Services

For example:

Security policy
Security policy

  • Any organization concerned about protecting its

    e-commerce assets should have a security policy.

  • A security policy is a written statement describing

    what assets are to be protected, why they are to be

    protected, who is responsible for that protection,

    and which behaviors are acceptable and not.

  • The policy should address physical security, network

    security, access authorizations, virus protection,

    and disaster recovery.

Security policy and integrated security
Security Policy and Integrated Security

  • A written statement describing

    • Which assets to protect and why they are being protected

    • Who is responsible for that protection

    • Which behaviors are acceptable and which are not

  • First step in creating a security policy

    • Determine which assets to protect from which threats

JER 29:11

Security policy and integrated security continued
Security Policy and Integrated Security (Continued)

  • Elements of a security policy

    • Authentication

    • Access control

    • Secrecy

    • Data integrity

    • Audit

JER 29:11

Security for client computers
Security for Client Computers

  • Introduction

    • Danger arises from software and data downloads from the Internet

    • Malevolent server site can masquerade as a legitimate Web site

    • Programs embedded transparently in Web pages and cause action to occur

  • Scripting languages

    • Provide scripts, or commands, that are executed

  • Applet

    • Small application program

JER 29:11

Security for client computers continued
Security for Client Computers (Continued)

  • Trojan horse

    • Program hidden inside another program or Web page that masks its true purpose

  • Zombie

    • Program that secretly takes over another computer to launch attacks on other computers

    • Attacks can be very difficult to trace to their creators

JER 29:11

Dialog box asking for permission to open a java applet
Dialog box asking for Permission to Open a Java Applet

JER 29:11

Cookies and web bugs
Cookies and Web Bugs

  • Cookie Central

    • Web site devoted to Internet cookies

  • Session cookies

    • Exist until the Web client ends connection

  • Persistent cookies

    • Remain on client computer indefinitely

JER 29:11

Cookies and web bugs1
Cookies and Web Bugs

  • First-party cookies

    • Cookies placed on client computer by Web server site

  • Third-party cookies

    • Placed on client computer by different Web site often to track how its adverts are accessed

  • Web bug

    • Tiny graphic that a third-party Web site places on another site’s Web page, exclusively to deliver a cookie to the visitor’s computer when page is loaded

JER 29:11

Java applets
Java applets

  • Java is a high-level programming language developed by Sun Microsystems

  • Java applet—is a a small application program that runs within the Web browser and downloads automatically with the page and begins running.

  • Java applets are platform independent—can run on any computer—meaning they pose a security risk

  • Java sandbox

    • Confines Java applet actions to rules defined by the security model so that they cannot perform functions like delete

  • Untrusted Java applets

    • Applets not established as secure

JER 29:11

Active content
Active content

  • Active content refers to programs that are embedded transparently in Web pages and that cause action to occur

    • Display moving graphics

    • Download and play audio

    • Place items in a shopping cart and compute invoice, including tax, shipping costs, and handling fees, etc

    • Transfers processing to client’s computer, thereby posing a security risk

  • Best active content forms are

    • Cookies, Java applets, JavaScript, VBScript, and ActiveX controls

JER 29:11


  • Scripting language developed by Netscape to enable Web page designers to build active content

  • Can be used for attacks by

    • Executing code that destroys client’s hard disk

    • Discloses e-mail stored in client mailboxes

    • Sends sensitive information to attacker’s Web server

JER 29:11

Viruses worms and antivirus software
Viruses, Worms, and Antivirus Software

  • Virus

    • Software that attaches itself to another program

    • Can cause damage when host program is activated

  • Macro virus

    • Type of virus coded as a small program (macro) and is embedded in a file

  • Antivirus software

    • Detects viruses and worms

    • Symantec and McAfee the main firms that sell software for the control of viruses and worms

JER 29:11

Digital certificates
Digital Certificates

  • A program in a Web page that

    • Verifies that the sender or Web site is who or what it claims to be

  • Signed code or messages

    • Provide proof that the holder is the person identified by the certificate

  • Certification authority (CA)

    • Issues digital certificates

JER 29:11

Digital certificates continued
Digital Certificates (Continued)

  • Main elements

    • Certificate owner’s identifying information

    • Certificate owner’s public key

    • Dates between which the certificate is valid

    • Serial number of the certificate

    • Name of the certificate issuer

    • Digital signature of the certificate issuer

JER 29:11


  • Describes process of hiding information within another piece of information

  • Provides way of hiding an encrypted file within another file

  • Messages hidden using steganography are difficult to detect

  • Al Qaeda said to have used steganography to execute the terror attack on the US in 2001

JER 29:11

Biometric controls
Biometric Controls

  • Biometric systems: Authentication systems that identify a person by measurement of a biological characteristic such as a fingerprint, iris (eye) pattern, facial features, or voice

  • Physiological biometrics: Measurements derived directly from different parts of the body (e.g., fingerprints, iris, hand, facial characteristics)

  • Behavioral biometrics: Measurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)

JER 29:11

Biometric controls cont
Biometric Controls (cont.)

  • Fingerprint scanning: Measurement of the discontinuities of a person’s fingerprint, converted to a set of numbers that are stored as a template and used to authenticate identity

  • Iris scanning: Measurement of the unique spots in the iris (colored part of the eye), converted to a set of numbers that are stored as a template and used to authenticate identity

JER 29:11

Biometric controls cont1
Biometric Controls (cont.)

  • Voice scanning:Measurement of the acoustical patterns in speech production, converted to a set of numbers that are stored as a template and used to authenticate identity

  • Keystroke monitoring:Measurement of the pressure, speed, and rhythm with which a word is typed, converted to a set of numbers that are stored as a template and used to authenticate identity; this biometric is still under development

JER 29:11

Communication channel security
Communication Channel Security

  • Internet was not designed to be secure. Messages traveling on the Internet can be tapped and altered, that is, risk necessity, secrecy and integrity breaches

  • Secrecy

    • Prevention of unauthorized information disclosure

    • Privacyis the protection of individual rights to nondisclosure

  • Sniffer programs

    • Provide means to record information passing through a computer or router that is handling Internet traffic

JER 29:11

Integrity threats
Integrity Threats

  • Exists when an unauthorized party can alter a message stream of information

  • Cybervandalism

    • Electronic defacing of an existing Web site’s page

  • Masquerading or spoofing

    • Pretending to be someone you are not

  • Domain name servers (DNSs)

    • Computers on the Internet that maintain directories that link domain names to IP addresses

JER 29:11

Threats to wireless networks
Threats to Wireless Networks

  • Wardrivers

    • Attackers drive around using their wireless-equipped laptop computers to search for accessible networks

  • Warchalking

    • When wardrivers find an open network they sometimes place a chalk mark on the building

JER 29:11

Encryption methods
Encryption Methods

  • Public key infrastructure (PKI): A scheme for securing e-payments using public key encryption and technical components

    • Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it

  • Cryptography

    • Science that studies encryption

JER 29:11

Encryption methods cont
Encryption methods (cont)

  • Plain text—an unencrypted message in human-readable form

  • Ciphertext—a plain text message after it has been encrypted into a machine readable form

  • Encryption algorithm—the mathematical formula used to encrypt the plain text into the cyphertext and vice-versa

  • Key—the secret code used to encrypt and decrypt the message

JER 29:11

Public asymmetric key encryption
Public (asymmetric) key encryption

  • Encodes messages by using two mathematically related numeric keys

  • Public key

    • Freely distributed to the public at large

    • Public key encrypts message

  • Private key

    • Belongs to the key owner, who keeps the key secret

    • Private key decrypts message or vice versa

JER 29:11

Encryption methods cont1
Encryption Methods (cont.)

  • Symmetric (private) key system

    • Symmetric (private) key system: An encryption system that uses the same key to encrypt and decrypt the message

    • Data Encryption Standard (DES): The standard symmetric encryption algorithm used by US government agencies until October 2, 2000

    • Rijndael: The new Advanced Encryption Standard used to secure US government communications since October 2, 2000

JER 29:11

Hash coding
Hash Coding

  • Process that uses a hash algorithm to calculate a number from a message of any length

  • Good hash algorithms

    • Designed so that probability of two different messages resulting in same hash value is small

  • Best way to tell whether a message has been altered in transit

  • Hash algorithms are one-way functions

    • Hash value cannot be reverted to original message

JER 29:11

Asymmetric encryption
Asymmetric Encryption

  • Pretty Good Privacy (PGP)

    • One of the most popular technologies used to implement public-key encryption

    • Set of software tools that

      • Can use several different encryption algorithms to perform public-key encryption

    • Can be used to encrypt their e-mail messages

JER 29:11

Elements of pki
Elements of PKI

  • Digital signature:An identifying code that can be used to authenticate the identity of the sender of a document

    • Portable

    • Cannot be easily repudiated or imitated, and can be time-stamped

JER 29:11

Elements of pki cont
Elements of PKI (cont.)

  • Digital signatures include:

    • Hash: A mathematical computation that is applied to a message, using a private key, to encrypt the message

    • Message digest: A summary of a message, converted into a string of digits, after the hash has been applied

  • Digital certificate: Verification that the holder of a public or private key is who they claim to be

  • Certificate authorities (CAs): Third parties that issue digital certificates

JER 29:11

Security protocols
Security Protocols

  • Secure Socket Layer (SSL): Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality

  • Transport Layer Security (TLS): As of 1996, another name for the SSL protocol

  • Secure Electronic Transaction (SET): A protocol designed to provide secure online credit card transactions for both consumers and merchants; developed jointly by Netscape, Visa, MasterCard, and others

JER 29:11

Security for server computers
Security for Server Computers

  • Web server

    • Can compromise secrecy if it allows automatic directory listings

    • Can compromise security by requiring users to enter a username and password

  • Dictionary attack programs

    • Cycle through an electronic dictionary, trying every word in the book as a password

JER 29:11

Other programming threats
Other Programming Threats

  • Buffer

    • An area of memory set aside to hold data read from a file or database

  • Buffer overrun

    • Occurs because the program contains an error or bug that causes the overflow

  • Mail bomb

    • Occurs when hundreds or even thousands of people each send a message to a particular address

JER 29:11


  • Computer and software combination installed at the Internet entry point of a networked system

  • Provides a defense between

    • Network to be protected and the Internet, or other network that could pose a threat

  • All corporate communication to and from Internet flows through firewalls

JER 29:11

Firewalls continued
Firewalls (Continued)

  • Characteristics

    • All traffic from inside to outside and from outside to inside the network must pass through firewall

    • Only authorized traffic is allowed to pass

    • Firewall itself is immune to penetration

  • Trusted

    • Networks inside the firewall

  • Untrusted

    • Networks outside the firewall

JER 29:11

Firewalls continued1
Firewalls (Continued)

  • Packet-filter firewalls

    • Examine data flowing back and forth between trusted network and the Internet

  • Gateway servers

    • Firewalls that filter traffic based on the application requested

  • Proxy server firewalls

    • Firewalls that communicate with the Internet on the private network’s behalf

JER 29:11

Computer forensics and ethical hacking
Computer Forensics and Ethical Hacking

  • Computer forensics experts

    • Hired to probe PCs and locate information that can be used in legal proceedings

  • Computer forensics

    • The collection, preservation, and analysis of computer-related evidence

JER 29:11