E-Commerce Security

Security measures for mobile payments

 E- Commerce security

A secure E-payment system should conform to

the following elements;
Confidentiality
Authentication/verification
Integrity
Availability
Non repudiation
Authorization
Accountability
Privacy
 Categorization of threats
Application based threats e.g. Malware, Spyware,
privacy threats, vulnerable applications e.t.c.
Web based threats e.g. Phishing scams, War
driving/walking, browser exploits etc
Physical threats e.g. lost or stolen devices.
Network threats e.g. network exploits, wi-fi sniffing
 E-Commerce Risks
Private
network Payment
Buyer Merchant
gateway
Channel Service
provider

• Information
• Use of stolen • Information • Payment info stolen
stolen from Channel
Chips modified in
transit merchant
• password
stolen from • Masquerading • Information
Device as legitimate modified in
merchant transit
• Unauthorised
access • Key info stolen
by merchant
staff

Group 7 on Mobile payments security measures

4
 Security measures
Integrating security into their application
development process
Implementing secure technologies to protect
employees’ mobile devices
Installing solutions to enhance the security of
customer-focus online banking, mobile banking, and
mobile payments used applications
E-Commerce is a responsibility of stakeholders
namely customer, merchant, network operator,
financial institutions, vendors of m-payment space;
 Security measures - Customer
Ensure physical security of their devices e.g. mobile
phones from theft or destruction
Use passwords and PIN for identification
Create a PIN that is difficult to figure out. Avoid the
obvious PINS like birth dates, names, etc.
Frequently change their passwords and PIN
Not keep the password and PIN together with device
Not share confidential information
Download m-app from trusted sources
Immediately cancel a card and report incase its stolen
Do not keep cards next to devices that may cause
electro-magnetic interferences e.g. phones
 Security measures - Merchant
Revise and review payment security standards
Build partnership between financial institutions and
mobile network operators.
Continue to update & track the certification of third
party application devices.
Supervise the staff handling the E-Commerce e.g. by
using logs for audit trails.
Incase staff is discontinued, they should not have
access to accounts (close their accounts).
Security measures - Mobile Network
Operators
Include mobile security software e.g. Antivirus
Ensure mobile devices used in proximity payment
are certified.
General consumer education.
Adhere to security standards e.g. ensuring
authenticity, Non-repudiation etc
Ensure PCI DSS (Payment Card Industry Data
Security Standard) & PCI PADSS (Payment
Application DSS) are met
Encryption of sensitive data
Control & limit the distribution channels
 Security measures – Securing
Channels of Communication
SSL - Secure Socket Layer- specifically for data
transmission over the internet. Data encryption is
done, risk and responsibility of transactions is on the
retailer.
SET - Secure Electronic Transaction- to guarantee a
safe electronic transaction and to assure to
authenticate the identity of the user in any kind of
network including the internet.
 Security measures - Financial
Institutions
Adopt to existing security methods
Review existing back-office processes
Ensure Downloadable software is certified
Close cards immediately they are reported stolen
Design cards to self destruct or disable incase of
multiple password attempts.
Train staff and customers
Provide physical security such as videos in ATM
booths
 Security measures - Government
Formulate and enforce policies
Educate E-Commerce players
Process individuals who breach security
 Ethical Issues
 Many of the ethical and global issues related to IT also apply
to e-business. Here you will learn about two basic issues:
privacy and job loss.
 By making it easier to store and transfer personal information,
e-business presents some threats to privacy.
 Another major privacy issue is tracking. For example,
individuals' activities on the Internet can be tracked by
cookies.
 In addition to compromising individual privacy, the use of EC
may eliminate the need for some of a company's employees, as
well as brokers and agents. The manner in which these
unneeded workers, especially employees, are treated can raise
ethical issues: How should the company handle the layoffs?
Should companies be required to retrain employees for new
positions? If not, how should the company compensate or
otherwise assist the displaced workers?
 Legal and Ethical Issues Specific to E-
Commerce
Many legal issues are related specifically to e-
commerce.
When buyers and sellers do not know one another
and cannot even see one another, there is a chance
that dishonest people will commit fraud and other
crimes.
During the first few years of EC, the public
witnessed many such crimes. These illegal actions
ranged from creating a virtual bank that
disappeared along with the investors' deposits to
manipulating stock prices on the Internet.
Unfortunately, fraudulent activities on the
Internet are increasing.
 Domain Names
 Domain names are assigned by central nonprofit
organizations that check for conflicts and possible
infringement of trademarks.
 Obviously, companies that sell goods and services over the
Internet want customers to be able to find them easily. In
general, the closer the domain name matches the
company's name, the easier the company is to locate.
 A domain name is considered legal when the person or
business who owns the name has operated a legitimate
business under that name for some time. Companies such
as Christian Dior, Nike, Deutsche Bank, and even
Microsoft have had to fight or pay to get the domain name
that corresponds to their company's name.
 Domain Names (Continued)
Consider the case of Delta Air Lines. Delta
originally could not obtain the Internet domain
name delta.com because Delta Faucet had
purchased it first.
 Delta Faucet had been in business under that
name since 1954 and therefore had a legitimate
business interest in the domain name.
Delta Air Lines had to settle for delta-airlines.com
until it bought the domain name from Delta
Faucet.
Delta Faucet is now at deltafaucet.com. Several
cases of disputed domain names are already in
court.
 Cybersquatting
Cybersquatting refers to the practice of registering or
using domain names for the purpose of profiting from
the goodwill or the trademark that belongs to
someone else.
 The Anti-Cybersquatting Consumer Protection Act
(1999) permits trademark owners in the United States
to sue for damages in such cases.
In some cases, companies engage in
cybersquatting by registering domain names that
are very similar to their competitors' domain
names in order to generate traffic from people
who misspell Web addresses.
 Taxes and Other Fees
 This problem is particularly complex for interstate and
international e-commerce. For example, some people claim
that the state in which the seller is located deserves the
entire sales tax (in some countries, it is a value-added tax,
or VAT).
 Others contend that the state in which the server is located
also should receive some of the tax revenues.
 In addition to the sales tax, there is a question about
where—and in some cases, whether—electronic sellers
should pay business license taxes, franchise fees, gross-
receipts taxes, excise taxes, privilege taxes, and utility
taxes.
 Legislative efforts to impose taxes on e-commerce are
opposed by an organization named the Internet Freedom
Fighters.
 Copyright
 This point is significant because many people
mistakenly believe that once they purchase a piece of
software, they have the right to share it with others.
 In fact, what they have bought is the right to use the
software, not the right to distribute it. That right
remains with the copyright holder.
 Similarly, copying material from Web sites without
permission is a violation of copyright laws.
 Protecting intellectual property rights in e-commerce
is extremely difficult, however, because it involves
hundreds of millions of people in some 200 countries
with differing copyright laws who have access to
billions of Web pages.
 Quality of systems development and
operation

This is related to the above and is of importance

not only for commercial reasons but also because
of the impact of information systems on
individuals.
The impact in moral terms of a customer who
receives a late delivery is relatively small.
However, when the impact is in a safety-critical,
such as an air traffic control system or a hospital
records system, that impact could be large.
 Privacy
Data protection acts outline the framework within
which organizations should operate with respect to
data on persons.
Over and above this, the organization may wish to
make explicit the way that data on individuals is
going to be used.
A good example involves the transmission of
customer data to third parties for marketing
purposes.
Many organizations are completely transparent on
this and give each customer the right to state their
wish to allow their personal details to be
transmitted for marketing purposes
 Staff development and retraining
The impact of information technology has
reshaped the types of work involved within
organization.
Frequently those with skills for previous jobs do
not have the skills appropriate for the new
technology.
Many organizations have developed policies to
retrain employees internally.
The drive to develop policies is not just the
commercial consideration of ‘fire and hire’ as
against the costs of retraining. Rather it reflects the
fact that organizations regard themselves
increasingly as having a moral obligation towards
their workforce.
 Use of IT and time
Organizations are making policy decisions on
the use of their IT facilities by employees for
non-work-related activities.
The policy may cover, for example, the right of
the employee to use e-mail for personal
purposes, during or outside of work time.
The content of the e-mail may also be subject
to the policy or whether the e-mail is being
used for personal consultancy purposes.
 Computer Crime and abuse
Theft through the use of computers was an early
activity. It often centered on the movement of
money or on false accounting. Now it has
extended to data theft and software theft through
copying.
Hackers are individuals who attempt to
electronically enter a computer system, usually
remotely via the internet, when they have no
authorization to do so.
Pornography is now commonly distributed across
the Internet.
Computer Crime and abuse (Continued)
Spamming is the automated sending of large
quantities of unsolicited e-mails. This may be for
marketing purposes (largely regarded as a
nuisance by the recipients) or to jam or disrupt
computer facilities, as these become increasingly
devoted to the transmission and delivery of e-
mails thus removing them from their legitimate
processing purposes.
Sniffing is the electronic eavesdropping on
electronic data transmissions. This may be of e-
mails or of data which might be used for financial
gain, e.g. credit card details. Encryption of this
data is increasingly used to ensure its security.
 Computer Crime and abuse (Continued)
Scams attempt to prey upon the innocence of the user
to respond to a request or an offer. Examples include
the religious website that offered ‘a place with God for
just $15’ or the site that promised visitors they could
‘get rich quick’ but needed to provide their credit card
details first.
Identity theft is the illegal use of the details of another
person to obtain goods, services or transfer of funds.
The increase and the improvement in
telecommunications technology and business have been
mirrored by a growth in crime using the same
technologies. By obtaining details such as a name,
address, passwords, bank account or credit card details
such adopt the identity of another person to access.
 Examples of identity theft
Phishing, where potential victims receive highly
credible but fake requests, often by e-mail, from
organizations that request confirmation of account
details or passwords, the requests are often
framed in similar style and content to the actual
organization in an attempt to deceive the recipient
of the e-mail that the request is real.
Skimming, where the details contained on the
magnetic strip or the tag of a card is illegally
copied. This is often achieved by luring the user to
allow their card to be read through a device
masquerading as a real card reader.