E-Commerce: Business. Technology.

Society

CHAPTER 4

E-commerce Security and

Payment Systems
MSc Ta Minh Thao

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

4.1 Understand the scope of e-
commerce crime and security 4.2 Identify the key security
Learning Objectives
problems, the key dimensions of
e-commerce security, and the
threats in the e-commerce
environment.
tension between security and
4.3 Describe
other values. how technology 4.4 Appreciate the importance of
helps secure Internet
policies, procedures, and laws in
communications channels and
creating security.
protect networks, servers, and
clients.
4.5 Identify the major e- 4.6 Describe the features and
commerce payment systems in functionality of electronic billing
use today. presentment and payment
systems.

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 1 2 3 Security
The E-commerce 4 Environment
5
Overall size Average total Low-cost Online credit Underground
and losses of cost of data web attack card fraud economy
cyber-crime breach to kits marketplace
unclear U.S.
corporations
was almost
$4 million
(2018)

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 What Is Good E-commerce Security?

 To achieve highest degree

of security
- New technologies
- Organizational policies and
procedures
- Industry standards and
government laws

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

Customer and Merchant Perspectives on the
Different Dimensions of E-commerce Security

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

The Tension Between Security and Other Values
 Ease of use
- The more security measures added, the more difficult a site is to
use, and the slower it becomes
 Public safety and criminal uses of the Internet
- Use of technology by criminals to plan crimes or threaten
nation-state
 Why China's New Digital Currency Raises Privacy Concerns
https://www.youtube.com/watch?v=Y6YLQXM5izM

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

Security Threats in the E-commerce Environment
 Three key points of vulnerability in e-commerce environment:
- Client
- Server
- Communications pipeline (Internet communications channels)
 The most common and most damaging forms of security
threats to e-commerce consumers and site operators
- Malicious code
- Potentially unwanted programs
- Phishing
- Hacking
- Cybervandalism
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
Security Threats in the E-commerce Environment
 Three key points of vulnerability in e-commerce environment:
- Client
- Server
- Communications pipeline (Internet communications channels)
 The most common and most damaging forms of security
threats to e-commerce consumers and site operators
- Malicious code
- Potentially unwanted programs
- Phishing
- Hacking
- Cybervandalism
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
Exploits and Drive-by
exploit kits Malicious
Maladvertising Code
download
Viruses

Ransomware
Worms Trojan horses Backdoors
(scareware)

Bots, botnets

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Potentially Unwanted Programs
 Browser parasites
- Monitor and change user’s browser
 Adware
- Used to call pop-up ads
 Spyware
- Tracks user’s keystrokes, e-mails, IMs, etc.

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Phishing
 Any deceptive, online attempt by a third party to obtain
confidential information for financial gain
 Tactics
- Social engineering
- E-mail scams
- Spear phishing
 Used for identity fraud and theft

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

  Hacking
- Hackers vs. crackers
- Goals: cybervandalism, data breaches
 Cybervandalism:
Hacking, - Disrupting, defacing, destroying
Cybervandalism website
and Hacktivism  Hacktivism
- Hacktivists attack governments,
organizations and individuals for
political purposes

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Data Breaches
 When organizations lose control over corporate information
to outsiders
 Leading causes
- Hacking
- Employee error/negligence
- Accidental e-mail/Internet exposure
- Insider theft
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
 Credit Card Fraud/Theft
 Systematic hacking and looting of corporate servers storing
credit card information is the primary cause of stolen credit
card and card information.
 Central security issue: establishing customer identity
- E-signatures
- Multi-factor authentication
- Fingerprint identification, face ID - biomatrix devices

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Identity Fraud/Theft
 Unauthorized use of another person’s personal data
for illegal financial benefit
- Social security number
- Driver’s license
- Credit card numbers
- Usernames/passwords

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

Spoofing, Pharming, and Spam (Junk) Websites
 Spoofing
- Attempting to hide true identity by using someone else’s e-
mail or IP address
 Pharming
- Automatically redirecting a web link to a different address,
to benefit the hacker
 Spam (junk) websites
- Offer collection of advertisements for other sites, which
may contain malicious code

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Sniffing and Man-in-the-Middle Attacks

 Sniffer
- Eavesdropping program monitoring networks
- Can be used by criminals to steal proprietary information
 E-mail wiretaps
- Recording e-mails at the mail server level
 Man-in-the-middle attack
- The attacker intercepts and changes communication between
two parties who believe they are communicating directly
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
 Denial of Service (DoS) and
Distributed Denial of Service (DDoS) Attacks
 Denial of service (DoS) attack
- Flooding website with pings and page requests
- Overwhelm and can shut down site’s web servers
- Often accompanied by blackmail attempts
- Botnets
 Distributed Denial of Service (DDoS) attack
- Uses hundreds or thousands of computers to attack target
network
- Can use devices from the Internet of Things, mobile devices
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
 Insider Attacks

Largest threat to business Employee access to privileged

institutions comes from insider information
embezzlement

Poor security procedures Insiders more likely to be source of

cyberattacks than outsiders

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

The increase in complexity of and demand for software has led to
an increase in flaws and vulnerabilities
Poorly Designed Software
SQL injection attacks

Zero-day vulnerability

Heartbleed bug

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Social Network Security Issues

 Social networks an environment for:

- Viruses, site takeovers, identity fraud, malware-loaded
apps, click hijacking, phishing, spam
 Manual sharing scams
 Fake offerings, fake Like buttons, and fake apps

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Mobile Platform Security Issues
SMS
Vishing Smishing Madware
spoofing

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Cloud Security Issues
DDos (distributed denial Cloud offers a popular
of service) attacks cloud file-sharing service
where the data could be
accessed without
authorization on Dropbox.
Lack of encryption and
strong security procedures

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Internet of Things (IoT) Security Issues

 IoT: the use of internet to connect wide variety of devices,

machines and sensors
 Challenging environment to protect
 Vast quantity of interconnected links
 Near identical devices with long service lives
 Many devices have no upgrade features
 Little visibility into workings, data, or security
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
 Technology Solutions (1 of 3)
 Protecting Internet communications
- Encryption: transform the message into code
- These 4 key dimensions of e-commerce security involve
encryption:
• Message integrity
• Nonrepudiation
• Authentication
• Confidentiality
- Availability and privacy do not related to encryption.

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Technology Solutions (2 of 3)
 Public key cryptography
- Public key cryptography uses two mathematically related
digital keys.
- Public key cryptography does not ensure message integrity.
- Public key cryptography is based on the idea of irreversible
mathematical functions.
 Securing channels of communication
- SSL, TLS, VPNs, Wi-Fi

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Technology Solutions (3 of 3)
 Protecting networks
- Firewalls: hardware or software that act as a filter to prevent
unwanted packets from entering their network
- Proxy servers: software servers that handle all communications
from or sent to the Internet (dual home systems)
 Protecting servers and clients
- OS security
- Anti-virus software: easiest and least expensive way to prevent
threats to system integrity

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

Tools Available to Achieve E-commerce Security

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Securing Channels of Communication (1 of 2)
 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
- Establishes secure communication by verification of username
and password (credit card processing)
- Processes the certificates and private/public key information
issued for authentication of an online merchant
 Virtual Private Network (VPN)
- Allows remote users to securely access the internal network via
the Internet

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Securing Channels of Communication (2 of 2)
 Digital certificate includes:
- Name of subject/company
- Subject's public key.
- Digital signature of the certification authority.
- Digital certificate serial number
- Expiration date, issuance date
- Digital signature of CA
 Wireless (Wi-Fi) networks
- WPA2 is the current standard used to protect Wi-Fi networks
Copyright © 2023 Pearson Education, Inc. All Rights Reserve
 Management Policies, Business
Procedures, and Public Laws
 Managing risk includes:
- Technology
- Effective management policies, e.g.: authorization management
system restricts access to private information within a company’s
internet infrastructure. Specified where and when a user is
permitted to access certain parts of a website
- Public laws and active enforcement

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Developing an E-commerce Security Plan

 The security organization typically

administers access control,
authentication procedures and
authorization policies. Biometric
devices, e.g: face ID can be used
for verification of an individual.
 Examples of access control:
firewalls, proxy servers, login
procedures

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

  In the U.S., credit and debit cards
are primary online payment methods
- Other countries have different systems
E-commerce  Limitations of online credit card
Payment payment
Systems - Security, merchant risk
- Cost
- Social equity

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

Blockchain: a technology that enables organizations to create
and verify transactions on a network nearly instantaneously
without a centralBlockchain
authority. and Cryptocurrencies
Cryptocurrency: purely digital asset that works as a medium
of exchange using cryptography

Bitcoin: most prominent example of cryptocurrency in use

today

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

How Blockchain Works

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

 Electronic Billing Presentment
and Payment (EBPP)
Major players in the U.S. EBPP marketspace

 Online payment systems for

monthly bills
 Four EBPP business models:
 All models are supported by
EBPP infrastructure providers

Copyright © 2023 Pearson Education, Inc. All Rights Reserve

END OF CHAPTER 4
THANK YOU !

Copyright © 2023 Pearson Education, Inc. All Rights Reserve