More Related Content Similar to laudon-traver_ec10_ppt_ch05.ppt Similar to laudon-traver_ec10_ppt_ch05.ppt (20) laudon-traver_ec10_ppt_ch05.ppt1. E-commerce 2014
Kenneth C. Laudon
Carol Guercio Traver
business. technology. society.
tenth edition
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
3. Class Discussion
Cyberwar: MAD 2.0
What is the difference between hacking and
cyberwar?
Why has cyberwar become more potentially
devastating in the past decade?
Why has Google been the target of so many
cyberattacks?
Is it possible to find a political solution to
MAD 2.0?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-3
4. The E-commerce Security Environment
Figure 5.1, Page 252
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-4
5. Dimensions of E-commerce Security
Integrity ensures that info sent and received has not
been altered by unauthorized party
Nonrepudiation ability to ensure that participants do
not deny (repudiate) their online actions
Authenticity ability to identify the person’s identity
with whom you are dealing with over the internet
Confidentiality authorized to be seen by those who
should view it
Privacy ability to control who sees your info
Availability e-commerce site functions as intended
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-5
6. Table 5.3, Page 254
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-6
7. The Tension Between Security and Other Values
Ease of use
The more security measures added, the more
difficult a site is to use, and the slower it
becomes
Security costs money and too much of it can
reduce profitability
Public safety and criminal uses of the
Internet
Use of technology by criminals to plan crimes or
threaten nation-state
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-7
8. Security Threats in E-commerce Environment
Three key points of vulnerability in
e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-8
9. A Typical E-commerce Transaction
Figure 5.2, Page 256
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-9
10. Vulnerable Points in an E-commerce
Transaction
Figure 5.3, Page 257
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-10
11. Most Common Security Threats in the
E-commerce Environment
Malicious code (malware, exploits)
Drive-by downloads malware that comes with a
downloaded file the user intentionally or
unintentionally request
Viruses
Worms spread from computer to comp without human
intervention
Ransomware (scareware) used to solicit money from
users by locking up your browser or files and displaying
fake notices from FBI or IRS etc
Trojan horses appear benign but is a way to introduce
viruses into a computer system
Threats at both client and server levels Slide 5-11
12. Most Common Security Threats in the
E-commerce Environment
Malicious code (malware, exploits)
Backdoors introduce viruses, worms, etc. that allow an
attacker to remotely access a computer
Botnets are a collection of captured bot computers or
zombies used to send spam, DDoS attacks, steal
information from computers, and store network traffic
for later analysis.
Bots, as in robots, are malicious code that can be
covertly installed on a computer when connected to the
internet. Once installed, they respond to external
commands from the attacker
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
13. Most Common Security Threats (cont.)
Potentially unwanted programs (PUPs)
Example Vista antispyware 2013 infects computers running Vista
Browser parasites changes your computer settings
Adware displays calls for pop-up ads when you visit sites
Spyware may be used to obtain information such as keystrokes,
email, IM etc.
Phishing
Social engineering relies on human curiosity, greed, and gullibility
to trick users into taking action that results into downloading
malware
E-mail scams
Spear-phishing spear phishing messages appear to come from a
trusted source
Identity fraud/theft
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13
14. Most Common Security Threats (cont.)
Hacking
Hackers gain unauthorized access
White hat role is to help identify and fix
vulnerabilities
Black hat intent on causing hard
Grey hat breaks in to expose flaws and report them
without disrupting the company. They may even try
to profit from the event
Crackers have criminal intent
Hacktivist are politically motivated (Green Peace)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-14
15. Most Common Security Threats (cont.)
Cybervandalism:
Disrupting, defacing, destroying Web site
Data breach
Losing control over corporate information to
outsiders
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-15
16. Insight on Business: Class Discussion
We Are Legion
What organization and technical failures
led to the data breach on the
PlayStation Network?
Are there any positive social benefits of
hacktivism?
Have you or anyone you know
experienced data breaches or
cybervandalism?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-16
17. Most Common Security Threats (cont.)
Credit card fraud/theft
Spoofing involves attempting to hide a true identity
by using someone else’s email or IP address
Pharming automatically directing a web link to a fake
address
Spam (junk) Web sites (link farms) promise to offer
products but are just full of ads
Identity fraud/theft involves unauthorized/illegal
use of another person’s data
Denial of service (DoS) attack Hackers flood site with
useless traffic to overwhelm network
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-17
18. Most Common Security Threats (cont.)
Denial of service (DoS) attack Hackers flood site with
useless traffic to overwhelm network
Distributed denial of service (DDoS) attack uses
numerous computers to launch attacks on sites or
computers systems. The attack comes from several
locations
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-18
19. Most Common Security Threats (cont.)
Sniffing, a sniffer is a type of eavesdropping program
that monitors information traveling over a network
Insider attacks caused by employees
Poorly designed server and client software leads to SQL
injection attacks by taking advantage of poorly coded
applications that fails to validate data entered by web users
Zero-Day vulnerability software vulnerability that is reported
or unreported but no current fix exists
Social network security issues like forgetting to log out,
connecting with strangers, exposing too much information
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-19
20. Most Common Security Threats (cont.)
Mobile platform security issues
Vishing works like phishing but does not always occur
over the Internet and is carried out using voice
technology. A vishing attack can be conducted by voice
email, VoIP (voice over IP), or landline or cellular
telephone.
Smishing exploits SMS/text messages that may contain
links and other personal info that may be exploited
Madware is innocent looking apps containing adware
that launches pop-up ads and text messages on you
mobile device (mobile + adware = madware)
Cloud security issues example, DDoS attacks threaten the
availability and viability of cloud services
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-20
21. Insight on Technology: Class Discussion
Think Your Smartphone Is Secure?
What types of threats do smartphones face?
Are there any particular vulnerabilities to this
type of device?
Are apps more or less likely to be subject to
threats than traditional PC software
programs?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-21
22. Technology Solutions
Protecting Internet communications
Encryption altering plain text so that it cannot be read
by anyone other than the sender & receiver
It provides security for 4 of 6 security dimensions
Integrity by ensuring the messages has not been
tampered with
Nonrepudiation by preventing users from denying
they sent the message
Authentication by verifying the person’s identity or
computer sending the message
Confidentiality by ensuring the message was not
read by others
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-22
23. Types of Encryption
Cipher is disguised way of writing; a code where
letters of the message are replaced systematically by
another letter
Transportation cipher ordering the letters in some
systematic way e.g., reverse order, or 2 letters ahead
Symmetric key both sender and receiver use the
same key to encrypt and decrypt the message. The
key is sent over a secure line or exchanged in person
Data Encryption Stds developed by IBM and NSA;
now we have 128, 192, and 256 bit encryption
Google coming out with 2048 bit keys
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-23
24. Symmetric Key Encryption
Sender and receiver use same digital key to encrypt and
decrypt message
Requires sophisticated mechanisms to securely
distribute the secret-key to both parties
Requires different set of keys for each transaction
Strength of encryption
Length of binary key used to encrypt data
Data Encryption Standard (DES)
Advanced Encryption Standard (AES)
Most widely used symmetric key encryption
Uses 128, 192, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-24
25. Common ways of Sending of Keys
The establishment of symmetric keys can be performed in
several ways:
Authenticated Key Agreement (KA) is the ability to construct a key, agree
on it, and then validate it.
Sending of an (authenticated) encrypted key, also known as key wrapping
Derivation from a base key using a Key Derivation Function (KDF), using
other data as input, for instance a unique number. If derivation is used
for multiple devices it is often called key diversification.
Ways to send or exchange keys,
by a previous telephone call
sending a letter
meeting in a pub (handing over a USB stick or other data carrier)
Creating a key from key parts held by different persons
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
26. Public Key Encryption using Digital Signatures
and Hash Digests
Hash function is any function that can be used to map
data of arbitrary size to data of fixed size. The values
returned by a hash function are called hash values, hash
codes, digests, or simply hashes. The output is often
shorter than the input.
Hash digest of message is sent to recipient along with a
message to verify integrity
Hash digest and message encrypted with recipient’s
public key
Example of hash algorithm: http://www.metamorphosite.com/one-way-
hash-encryption-sha1-data-software
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-26
27. Public Key Encryption using Digital Signatures
and Hash Digests
Entire cipher text is then encrypted with
recipient’s private key — creating digital
signature — for authenticity, nonrepudiation
digital signature is a type of electronic
signature that encrypts documents with
digital codes that are particularly difficult to
duplicate
Example of WEP generator:
http://www.andrewscompanies.com/tools/wep.asp
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-27
28. Hashing
Possible two different hash functions generate identical
hash values but extremely unlikely
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-28
For example, in Java, the hash code is a 32-bit integer.
29. Types of Encryption
Public Key there are two mathematically related keys,
a public key and private key. Private key kept secretly
by owner and public key disseminated to the public.
Both keys are used to encrypt and decrypt the
message. Once the keys are used, they can no longer
be used to unencrypt the message. They are one-way
irreversible functions.
Hash function creates a fixed length number that
replaces the original message, then the hash is used to
recreate the message on the recipient side (fig 5.7)
Digital signature is a signed cipher text sent over the
internet
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-29
30. Types of Encryption
Digital envelope uses symmetric encryption for large
docs
Digital certificate (DC) issues by trusted 3rd party
known as certification authority that contains (the
subject name, public key, digital cert serial #, exp date,
issuance date and digital signature)
There are various types of certs (personal, institutional, web server,
software publ, and Certificate Authority (CA))
Verisign, post office, Fed Reserve issue certs
Key infrastructure (PKI) when you sign into a secure
site you see the “s” or the lock which means the site
has a digital certificate issued by a CA
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-30
31. Technology Solutions
Securing channels of communication
Secure Socket Layer; a secure negotiated
session is a client server session in which the
URL of the requested doc, its contents, and
cookies are encrypted through a series of
communication handshakes between
computers. A unique symmetric encryption
session key is chosen for each session
VPNs allow computers to securely communicate
via tunneling by adding invisible encrypted
wrappers around messages to hide their
contents
Slide 5-31
32. Technology Solutions
Securing channels of communication
Protecting networks
Firewalls are hard/software that filters comm
packets and prevent unauthorized access
They filter traffic based on packets, IP address,
type of service http, www, domain name etc
2 Ways to validate traffic
Packet filters examine whether they are destined for
a prohibited port or originate from one
App gateway filters traffic based on the app being
requested
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-32
33. Technology Solutions
Proxy servers are software servers that
handle comm by acting as a spokesperson and
body guard for the organization. To local
computers, proxy servers are known as a
gateway, but to external servers known as
mail server. Proxy servers sit betw users and
back end systems. They may be used to
restrict access by employees.
Securing channels of communication
Protecting networks
Slide 5-33
34. Technology Solutions
Securing channels of communication
Protecting networks
Intrusion detection systems IDS monitor
traffic looking for patterns or preconfigured
rules that may indicate an attack
IPS (prevention) prevents attacks by taking
action to block the attack
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-34
35. Tools Available to Achieve Site Security
Figure 5.5, Page 276
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-35
36. Public Key Cryptography: A Simple Case
Figure 5.6, Page 279
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-36
37. Public Key Cryptography with Digital
Signatures
Figure 5.7, Page 281
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-37
38. Creating a Digital Envelope
Figure 5.8, Page 282
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-38
39. Digital Certificates and Certification
Authorities
Figure 5.9, Page 283
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-39
40. Limits to Encryption Solutions
Doesn’t protect storage of private key
PKI not effective against insiders, employees
Protection of private keys by individuals may be
haphazard
No guarantee that verifying computer of
merchant is secure
CAs are unregulated, self-selecting
organizations
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-40
41. Secure Negotiated Sessions Using SSL/TLS
Figure 5.10, Page 286
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-41
42. Firewalls and Proxy Servers
Figure 5.11, Page 289
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-42
43. Protecting Servers and Clients
Operating system security
enhancements
Upgrades, patches
Anti-virus software
Easiest and least expensive way to prevent
threats to system integrity
Requires daily updates
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-43
44. Management Policies, Business
Procedures, and Public Laws
Worldwide, companies spend more
than $65 billion on security hardware,
software, services
Managing risk includes:
Technology
Effective management policies
Public laws and active enforcement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-44
45. A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan
Security organization
Access controls
Authentication procedures, including biometrics
Authorization policies, authorization management
systems
Security audit provides ability to audit access
logs for security breaches and unauthorized
use
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-45
46. Developing an E-commerce Security Plan
Figure 5.12, Page 291
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-46
47. The Role of Laws and Public Policy
Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
National Information Infrastructure Protection Act of 1996
USA Patriot Act
Homeland Security Act
Private and private-public cooperation
Community Emergency Response Team (CERT) Coordination
Center
US-Computer Emergency Response Team (US-CERT)
Government policies and controls on encryption
software
OECD, G7/G8, Council of Europe, Wassener Arrangement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-47
48. Types of Payment Systems
Cash
Most common form of payment
Instantly convertible into other forms of value
No float
Checking transfer
Second most common payment form in United States
Credit card
Credit card associations (VISA, Mastercard)
Issuing banks
Processing centers are clearing houses.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-48
49. Types of Payment Systems (cont.)
Stored value
Funds deposited into account, from which funds
are paid out or withdrawn as needed (PayPal)
Debit cards, gift certificates
Peer-to-peer payment systems (PayPal)
Accumulating balance
Accounts that accumulate expenditures and to
which consumers make period payments
Utility, phone, American Express accounts
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-49
50. Payment System Stakeholders
Consumers
Low-risk, low-cost, refutable, convenience, reliability
Merchants
Low-risk, low-cost, irrefutable, secure, reliable
Financial intermediaries
Secure, low-risk, maximizing profit
Government regulators
Security, trust, protecting participants and enforcing
reporting
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-50
51. E-commerce Payment Systems
Credit cards
42% of online payments in 2013 (United States)
Debit cards
29% online payments in 2013 (United States)
Limitations of online credit card
payment
Security, merchant risk
Cost
Social equity
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-51
52. How an Online Credit Transaction Works
Figure 5.15, Page 302
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-52
53. Alternative Online Payment Systems
Online stored value systems:
Based on value stored in a consumer’s bank,
checking, or credit card account
Example: PayPal
Other alternatives:
Amazon Payments
Google Checkout
Bill Me Later
WUPay, Dwolla, Stripe
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-53
54. Mobile Payment Systems
Use of mobile phones as payment devices
established in Europe, Japan, South Korea
Near field communication (NFC)
Short-range (2”) wireless for sharing data between
devices
Expanding in United States
Google Wallet
Mobile app designed to work with NFC chips
PayPal
Square
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-54
55. Digital Cash and Virtual Currencies
Digital cash
Based on algorithm that generates unique
tokens that can be used in “real” world
Example: Bitcoin
Virtual currencies
Circulate within internal virtual world
Example: Linden Dollars in the virtual world
called Second Life, Facebook Credits
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-55
56. Insight on Society: Class Discussion
Bitcoin
What are some of the benefits of using a
digital currency?
What are the risks involved to the user?
What are the political and economic
repercussions of a digital currency?
Have you or anyone you know ever used
Bitcoin?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-56
57. Electronic Billing Presentment and
Payment (EBPP)
Online payment systems for monthly bills
50% of all bill payments
Two competing EBPP business models:
Biller-direct (dominant model)
Consolidator or 3rd party like your bank
Both models are supported by EBPP
infrastructure providers
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-57
58. Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-58