lesson 18 electronic payment systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Lesson 18 Electronic Payment Systems PowerPoint Presentation
Download Presentation
Lesson 18 Electronic Payment Systems

Loading in 2 Seconds...

play fullscreen
1 / 47

Lesson 18 Electronic Payment Systems - PowerPoint PPT Presentation


  • 282 Views
  • Uploaded on

Lesson 18 Electronic Payment Systems. Overview. Data Transaction Systems Securing the Transaction Real World Examples. Data Transaction Systems. Stored Account Systems Modeled after existing electronic payment systems such as credit/debit card transactions

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lesson 18 Electronic Payment Systems' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • Data Transaction Systems
  • Securing the Transaction
  • Real World Examples
data transaction systems
Data Transaction Systems
  • Stored Account Systems
    • Modeled after existing electronic payment systems such as credit/debit card transactions
    • New way of shifting funds electronically over the internet (Paving Cow Paths)
  • Stored Value Payment Systems
    • Use bearer certificates much like hard cash
    • Bearer certificates reside within PCs or smart cards
stored account systems
Stored Account Systems
  • Uses existing infrastructure for transactions
  • Actual monetary value never leaves bank
  • Accounting in the future through clearing houses and settlement systems
  • Hallmarks are:
    • High accountability
    • Traceability
stored account systems 2
Stored Account Systems(2)
  • Payment systems have defined their own secure technologies
  • 1995: $13 trillion, in 3 billion transactions by 4 clearing houses
  • Fed Reserve Fedwire transfers $1 trillion/day
  • Fraud exists now but risk management models in place
stored account systems 3
Stored Account Systems(3)
  • Protocols for supporting credit card types of transactions have been defined and implemented for E-commerce
    • First Virtual’s Internet Payment System
    • Cyber Cash’s Secure Internet Payment System
    • Secure Electronic Transaction (SET)
  • Many new technologies emerge daily
  • Security and convenience will rule the market place--it’s a balancing act
stored value payment systems svps
Stored Value Payment Systems(SVPS)
  • Attempts to replace cash with electronic equivalent….E-Cash
    • No More Cow Paths
  • Instantaneous transfer of value, does not require bank approval
  • Security stakes are much higher than stored account systems
  • Attributes: absence of control and auditing
svps 2
SVPS(2)
  • Possible to counterfeit E-Cash
  • Typically used in small-value transaction
    • Small value transaction market = $8 trillion
  • Lack of privacy bothers some
  • Finding new cow paths not easy
svps 3
SVPS(3)
  • Author says: “most exciting, innovative, and risk forms of accepting payment”
  • Replaces currency with digital equivalent
  • Value placed directly on hardware tokens such as PCs or Smart Cards
  • Goal: have the advantages of hard currency systems over an electronic medium
attributes of hard currency
ADVANTAGES

Not easily traceable

Instantaneous payment

No bank interference

DISADVANTAGES

Costly to transport

Costly to protect

Easily lost or stolen

Can be forged

Parties must be in close proximity to exchange

Attributes of Hard Currency
svps pros cons
Pros

Instantaneous (no approval needed)

Potentially Anonymous (traceability hard)

Supports low-value payment

Cons

Secret key from one can be used for many

Secret key extraction makes counterfeit money indistinguishable for E-Cash

SVPS must strike balance between privacy and tracking illicit activity

SVPS Pros/Cons
how e cash works
How E-Cash Works
  • E-Cash stored in an electronic device, called a hardware token
    • Secure processor and non-volatile memory
  • Consumers load money into token
    • Token’s value counter is incremented
    • Or Value loaded as register-based cash & electronic coins
  • Payment can be made on-line or off-line
e cash online payment
E-Cash Online Payment
  • Purchaser deals directly with seller’s hardware token device
  • Bank must be an intermediary
    • Allows for traceability
  • The H/W devices must be interoperable
off line payment
Off-line Payment
  • Buyer’s H/W token interfaces with seller’s device
    • IR, dial-up modem, or the Internet
  • Sellers device increases by transaction amount
  • Buyers’s device decreases by transaction amount
  • Safeguards needed to prevent “counter” malfunction
  • E-Cash ultimately must be sold back to issuing bank
e cash representation
E-Cash Representation
  • A value stored in a counter of a H/W token (aka register-based)
  • From of cryptographic tokens called electronic coins

E-Coin System

“A Purse”

Cents = count + digital signature

$ = count + digital signature

5$ = count + digital signature

Token value is sum of all

Register Based

Basic unit = 1 cent

Token cntr = 10000

Token value = $100.00

securing e cash
Securing E-Cash
  • Security concerns for SV PS>> SAPS
    • Main reason: lack of traceability  fraud potential
  • Main concern: potential to illegally add value to the H/W token
  • Physical Attacks on H/W token
  • Protocol based attack that mimics a paying device
physical attacks
Physical Attacks

Physical

  • An attempt to alter non-volatile memory
    • Device needs to be shielded so its tamper resistant
    • or device needs to be tamper evident
protocol attacks
Protocol Attacks

Protocol

  • Device counter illegally incremented by “fake” paying device
    • Secure authentication needed to ensure “fakes” don’t work
    • Best way is for both devices to share a symmetric cryptographic key
    • All devices do not use a master key
    • Secret key = master key + device unique ID
protocol attacks 2
Protocol Attacks(2)
  • Key must be resistant to replay attacks
    • Wiretap captures key and “replays” the session
    • Challenge/Response systems can thwart replay attacks
  • Gives motive for the token bearer to recover secret key
    • Greed is a powerful sin
alternative approach
Alternative Approach
  • PKE is an alternate
    • Compromise of public key will not allow reconstruction of secret key
    • Response to challenge is digital signature
  • Disadvantage is that token cannot contain public keys for all paying devices
  • Advantage is ability to prove that accumulated value is legit
    • Digital signatures from paying devices authorize the accumulated values
securing the transaction web protocols
Securing the TransactionWEB Protocols
  • SSL: provides secure channel between Web clients and Web servers
    • Layered approach--remember protocol stack
    • Secures channel by providing end-to-end encryption of the data
    • Prevents “easy” packet sniffing
  • S-HTTP: application level protocol
protocol and security ssl

HTTP

SSL

TCP

TCP

IP

IP

Protocol and Security: SSL

SECURE

NOT SECURE

HTTP

SMTP

FTP

protocol and security shttp

HTTP

TCP

IP

Protocol and Security: SHTTP

SECURE

NOT SECURE

HTTP

Security

TCP

IP

securing the transaction 2
Securing the Transaction(2)
  • Certificate Authority (CA)
    • Endorses identity of the Web server (or user)
    • No assurance of the quality of Web content
    • Users implicitly trust any sites that come loaded in their browser

The Little Yellow Lock = Warm Fuzzy

secure payment protocols spp vs web protocols
Secure Payment Protocols (SPP) vs WEB Protocols
  • SPPs provide a method to assure a merchants payment
  • SPPs provide consumers assurance of credit card confidentiality
  • Web protocols (like SSL) leave payment details up to the merchant
  • Web protocols do not assure merchant will safeguard credit card number
real world examples
Real World Examples
  • First Virtual
  • Cybercash
  • Secure Electronic Transactions (SET)
  • Others
first virtual fv
First Virtual(FV)
  • WWW.fv.com--circa 1994
  • Does not use cryptography or secure communications
  • Based on exchange of email messages and customer honesty
  • Protocol I simple
  • 1996: 180,000 buyers, 2650 merchants
fv in action 1

First Value

0. FV Merchant Setup

1. Establish acct-$2

with VISA/MC

6. VPIN, Transaction

via email

2. Virtual PIN

3. Request Product

4. Send VPIN?

5. VPIN SENT

Customer

FV Merchant

FV IN ACTION(1)
fv in action 2

First Value

3. MC/VISA Charge

1. Transaction

Confirmation?

3. Or Return

product

2. Yes, No, Fraud

Customer

FV Merchant

FV IN ACTION(2)

SEVERAL DAYSLATER

cybercash
CyberCash
  • Cybercash is a downloadable applications software
  • Consumers must generate public/private key pair based on RSA encryption technology
  • Merchants must also install CyberCash Library
  • Software free to stimulate acceptance
  • Future: could be integrated into browsers
  • More to come…CyberCoin, and E-Cash Soln
cybercash 2
CyberCash(2)
  • Uses Cryptography to protect transaction data during a purchase (does not use SSL)
  • Provides a secure protocol for credit card purchases over the internet
  • Uses existing back-end credit card infrastructure for settling payment
  • Payment details of credit card transaction are specified and implemented in the protocol
cybercash 3 merchant s perspective
CyberCash(3)Merchant’s Perspective
  • There is no separate back-office system for batch processing card transaction
  • Payment assured for each transaction before product sold
    • Much like point-of-sale(POS) credit card transactions in physical stores
cybercash 4
CyberCash(4)
  • Credit card number is protected--even from merchants
  • Card number encrypted with CyberCash public key
  • Only consumer, cybercahs and bank sees the credit card number
cybercash in action

2. Go E-Shopping, Request Product

3. Invoice Sent

Customer

Merchant

5. Send Payment Info

1. Register

Credit Card

6a. Strip Order

Form

6b. Digitally Sign

Info

4a. Select Cybercash Pay

button in browser

4b. Select Credit card from

E-wallet

4c. Encrypt payment

info with CyberCash Public Key

4d. Digitally Sign Payment

info

CYBERCASH

BANK

BANK

CYBERCASH IN ACTION
cybercash in action37

2. Go E-Shopping, Request Product

3. Invoice Sent

Customer

Merchant

5. Send Payment Info

7. Transmit Payment info

Bank EDI

8. Decrypt payment

info & verify signatures

9. Brokering

20 SECONDS TOTAL

10. Approval/Deny

CYBERCASH

BANK

Card Holder BANK

9. Brokering

CYBERCASH IN ACTION
secure electronic transaction set
Secure Electronic Transaction (SET)
  • SET is an emerging open standard for secure credit card payments over the internet
  • Created by Mastercard and Visa
  • Specifies the mechanism for securely processing internet-based credit card orders
  • Does not specify the implementation
  • Does not specify the shopping or order process for ordering goods, payment selection, and the platform or security procedures
set security assurances
SET Security Assurances
  • Confidentiality -- secures payment info
  • Data integrity -- uses digital signatures
  • Client Authentication -- uses digital certificates: identity plus public key
  • Merchant authentication -- uses digital certificate
set steps
SET Steps

1.The customer opens an account with a

certificate authority.

2. An issuing authority, like a bank, issues a

digital certificate authenticating a customer.

3. Other third-party merchants also receive

their digital certificate when they open their

transaction accounts.

4. The customer places an order.

set steps41
SET Steps

5. Customer verifies the merchant’s digital

certificate .

6. Customer sends encrypted purchase details.

7. When the merchant receives the order, the

customer’s own digital certificate is checked

for authenticity as well.

set steps42
SET Steps

8. The merchant then returns its own certificate, order details, customer payment information, and the bank’s digital certificate back to the bank to be used to authenticate the transaction.

9. The bank will then verify the merchant certificate

and order information.

10. The bank will digitally sign and return an

authorization back to the merchant.

11. When these transactions are finished, the order is

completed.

set in action

4. Place Order

Customer

Merchant

5. Merchant Certificate Sent

6. Send encrypted purchase details w/ Certificate

2. Buyer Opens Acct

1. Merchant receives

Digital Certificate

3. Buyer receives

Digital Certificate

7. Sends order to Bank w/

customer payment info &

digital certificate

BANK

SET IN ACTION
set in action44

Buyer

Merchant

9. Bank digitally

signs & sends auth

to merchant

BANK

SET IN ACTION

4. Place Order

5. Merchant Certificate Sent

6. Send encrypted purchase details w/ Certificate

2. Buyer Opens Acct

3. Buyer receives

Digital Certificate

7. Sends order to Bank w/

customer payment info &

digital certificate

10. ORDER COMPLETE

8. Bank verifies merchant

certificate and order info

set summary
SET Summary
  • Large industry backing
  • Supports credit card transactions on-line
  • Does not support debit card payments
  • Does not address stored-value payment solutions
  • Does not use SSL, but it could
  • Implementations:
    • Cybercash
    • RSA Data Security’s: S/PAY
other examples
Other Examples
  • DigiCash’s e-cash: stored-value cryptographic coin system
  • CyberCoin--CyberCash’s payment system for on-line commerce
    • Designed for small-value payments
  • Smart Cards
    • Conditional Access for Europe (CAFÉ)
    • Mondex
    • Visa Cash
summary
Summary
  • Data Transaction Systems
    • Stored Account Systems
    • Stored Value Payment Systems
  • Securing the Transaction
    • SSL, S-HTTP and Secure Payment Protocols (SPP)
  • Real World Examples
    • FV, CyberCash, SET, E-Cash, and others