UNIT 4

E-Commerce Security and Payment Systems

4.1 E-commerce security environment

• For most law-abiding citizens, the Internet holds the promise of a huge
and convenient global marketplace, providing access to people, goods,
services, and businesses worldwide, all at a bargain price.
• For criminals, the Internet has created entirely new—and lucrative—ways
to steal from the billion Internet consumers worldwide. From products
and services, to cash, to information, it’s all there for the taking on the
Internet.
• It’s also less risky to steal online.
• The Internet makes it possible to rob people remotely and almost
anonymously. The potential for anonymity on the Internet cloaks many
criminals in legitimate-looking identities, allowing them to place
fraudulent orders with online merchants, steal information by intercepting
e-mail, or simply shut down e-commerce sites by using software viruses
and swarm attacks.
• The Internet was never designed to be a global marketplace with billions
of users and lacks many basic security features found in older networks
such as the telephone system or broadcast television networks.
• By comparison, the Internet is an open, vulnerable-design network. The
actions of cybercriminals are costly for both businesses and consumers,
who are then subjected to higher prices and additional security measures.

THE SCOPE OF THE PROBLEM

• Cybercrime is becoming a more significant problem for both
organizations and consumers.
• Bot networks, DDoS attacks, Trojans, phishing, ransomware, data theft,
identity fraud, credit card fraud, and spyware are just some of the threats
that are making daily headlines. Social networks also have had security
breaches.
• But despite the increasing attention being paid to cybercrime, it is
difficult to accurately estimate the actual amount of such crime, in part
because many companies are hesitant to report it due to the fear of losing
the trust of their customers, and because even if crime is reported, it may
be difficult to quantify the actual dollar amount of the loss.
• Online credit card fraud is one of the most high-profile forms of e-
commerce crime. Although the average amount of credit card fraud loss
 experienced by any one individual is typically relatively small, the overall
amount is substantial.
• The nature of credit card fraud has changed greatly from the theft of a
single credit card number and efforts to purchase goods at a few sites, to
the simultaneous theft of millions of credit card numbers and their
distributions to thousands of criminals operating as gangs of thieves.
The Underground Economy Marketplace: The Value of Stolen Information
• Criminals who steal information on the Internet do not always use this
information themselves, but instead derive value by selling the
information to others on the so-called underground or shadow economy
market .
• There are several thousand known underground economy marketplaces
around the world that sell stolen information, as well as malware, such as
exploit kits, access to botnets, and more.
• Finding these marketplaces and the servers that host them can be difficult
for the average user (and for law enforcement agencies), and prospective
participants are typically vetted by other criminals before access is
granted. This vetting process takes place through Twitter, Tor, and VPN
services, and sometimes e-mail exchanges of information, money .
• There is a general hierarchy of cybercriminals in the marketplace, with
low-level, nontechnical criminals who frequent “carder forums,” where
stolen credit and debit card data is sold, aiming to make money, a
political statement, or both, at the bottom; resellers in the middle acting as
intermediaries; and the technical masterminds who create malicious code
at the top.
• Cybercrime against e-commerce sites is dynamic and changing all the
time, with new risks appearing often. The amount of losses to businesses
is significant and growing.
• The managers of e-commerce sites must prepare for an ever-changing
variety of criminal assaults ,and keep current in the latest security
techniques.
WHAT IS GOOD E-COMMERCE SECURITY?

• E-commerce merchants and consumers face many of the same risks as

participants in traditional commerce, albeit in a new digital environment.
• Theft is theft, regardless of whether it is digital theft or traditional theft.
• Burglary, breaking and entering, embezzlement, trespass, malicious
destruction, vandalism—all crimes in a traditional commercial
environment—are also present in e-commerce.
• However, reducing risks in e-commerce is a complex process that
involves new technologies, organizational policies and procedures, and
 new laws and industry standards that empower law enforcement officials
to investigate and prosecute offenders.
• The illustrates the multi-layered nature of e-commerce security.

• To achieve the highest degree of security possible, new technologies are

available and should be used. But these technologies by themselves do
not solve the problem.

• Organizational policies and procedures are required to ensure the

technologies are not subverted.

• Finally, industry standards and government laws are required to enforce

payment mechanisms, as well as to investigate and prosecute violators of
laws designed to protect the transfer of property in commercial
transactions.
• We can conclude then that good e-commerce security requires a set of
laws, procedures, policies, and technologies that, to the extent feasible,
protect individuals and organizations from unexpected behavior in the e-
commerce marketplace.
 4.2 DIMENSIONS OF E-COMMERCE SECURITY
• There are six key dimensions to e-commerce security: integrity,
nonrepudiation, authenticity, confidentiality, privacy, and availability.
i. Integrity : It refers to the ability to ensure that information being
displayed on a website, or transmitted or received over the Internet, has
not been altered in any way by an unauthorized party.
For example, if an unauthorized person intercepts and changes the
contents of an online communication, such as by redirecting a bank wire
transfer into a different account, the integrity of the message has been
compromised because the communication no longer represents what the
original sender intended.
ii. Nonrepudiation refers to the ability to ensure that e-commerce
participants do not deny (i.e., repudiate) their online actions. For instance,
the availability of free e-mail accounts with alias names makes it easy for
a person to post comments or send a message and perhaps later deny
doing so. Even when a customer uses a real name and e-mail address, it is
easy for that customer to order merchandise online and then later deny
doing so. In most cases, because merchants typically do not obtain a
physical copy of a signature, the credit card issuer will side with the
customer because the merchant has no legally valid proof that the
customer ordered the merchandise.
iii. Authenticity refers to the ability to identify the identity of a person or
entity with whom you are dealing on the Internet. How does the customer
know that the website operator is who it claims to be? How can the
merchant be assured that the customer is really who she says she is?
Someone who claims to be someone he is not is “spoofing” or
misrepresenting himself.
iv. Confidentiality refers to the ability to ensure that messages and data are
available only to those who are authorized to view them.
v. Privacy, which refers to the ability to control the use of information a
customer provides about himself or herself to an e-commerce merchant.
E-commerce merchants have two concerns related to privacy. They must
establish internal policies that govern their own use of customer
information, and they must protect that information from illegitimate or
unauthorized use. For example, if hackers break into an e-commerce site
and gain access to credit card or other information, this
violates not only the confidentiality of the data, but also the privacy of the
individuals who supplied the information.
vi. Availability refers to the ability to ensure that an e-commerce site
continues to function as intended.
4.3 SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT

• The number of the most common and most damaging forms of security
threats to e-commerce consumers and site operators: malicious code,
potentially unwanted programs, phishing, hacking and cybervandalism,
credit card fraud/theft, spoofing, pharming, spam (junk) websites (link
farms), identity fraud, Denial of Service (DoS) and DDoS attacks,
sniffing, insider attacks, poorly designed server and client software, social
network security issues, mobile platform security issues, and finally,
cloud security issues.
• MALICIOUS CODE
• Malicious code (sometimes referred to as “malware”) includes a variety
of threats such as viruses, worms, Trojan horses, ransomware, and bots.
• Some malicious code, sometimes referred to as an exploit, is designed to
take advantage of software vulnerabilities in a computer’s operating
system, web browser, applications, or other software components.
• Exploit kits are collections of exploits bundled together and rented or
sold as a commercial product, often with slick user interfaces and in-
depth analytics functionality. Use of an exploit kit typically does not
require much technical skill, enabling novices to become cybercriminals.
• Malware is often delivered in the form of a malicious attachment to an
email or embedded as a link in the email.
• One of the latest innovations in malicious code distribution is to embed it
in the online advertising chain (known as maladvertising), including in
Google, AOL, and other ad networks.
• Much of the maladvertising in the recent years has been in the form of
drive-by downloads that exploited the frequent zero-day vulnerabilities
that have plagued Adobe Flash, which is often used for online
advertisements.
• A drive-by download is malware that comes with a downloaded file that a
user intentionally or unintentionally requests. Drive-by is now one of the
most common methods of infecting computers.
• A virus is a computer program that has the ability to replicate or make
copies of itself, and spread to other files. In addition to the ability to
replicate, most computer viruses deliver a “payload.” The payload may be
relatively benign, such as the display of a message or image, or it may be
highly destructive—destroying files, reformatting the computer’s hard
drive, or causing programs to run improperly.
• Viruses are often combined with a worm. Instead of just spreading from
file to file, a worm is designed to spread from computer to computer. A
 worm does not necessarily need to be activated by a user or program in
order for it to replicate itself.
• Ransomware (scareware) is a type of malware (often a worm) that locks
your computer or files to stop you from accessing them. Ransomware will
often display a notice that says an authority such as the FBI, Department
of Justice, or IRS has detected illegal activity on your computer and
demands that you pay a fine in order to unlock the computer and avoid
prosecution.
• A Trojan horse appears to be benign, but then does something other than
expected. The Trojan horse is not itself a virus because it does not
replicate, but is often a way for viruses or other malicious code such as
bots or rootkits (a program whose aim is to subvert control of the
computer’s operating system) to be introduced into a computer system.
• A backdoor is a feature of viruses, worms, and Trojans that allows an
attacker to remotely access a compromised computer. Downadup is an
example of a worm with a backdoor, while Virut, a virus that infects
various file types, also includes a backdoor that can be used to download
and install additional threats.
• Bots (short for robots) are a type of malicious code that can be covertly
installed on your computer when attached to the Internet. Once installed,
the bot responds to external commands sent by the attacker; your
computer becomes a “zombie” and is able to be controlled by an external
third party (the “bot-herder”). Botnets are collections of captured
computers used for malicious activities such as sending spam,
participating in a DDoS attack, stealing information from computers, and
storing network traffic for later analysis.
 • POTENTIALLY UNWANTED PROGRAMS (PUPS)
• In addition to malicious code, the e-commerce security environment is further
challenged by potentially unwanted programs (PUPs) such as adware, browser
parasites, spyware, and other applications that install themselves on a computer, such
as rogue security software, toolbars, and PC diagnostic tools, typically without the
user’s informed consent. Such programs are increasingly found on social network and
user generated content sites where users are fooled into downloading them.
• Once installed, these applications are usually exceedingly difficult to remove from the
computer
• Adware is typically used to call for pop-up ads to display when the user visits certain
sites. While annoying, adware is not typically used for criminal activities.
• A browser parasite is a program that can monitor and change the settings of a user’s
browser, for instance, changing the browser’s home page, or sending information
about the sites visited to a remote computer. Browser parasites are often a component
of
adware.
• Spyware, on the other hand, can be used to obtain information such as a user’s
keystrokes, copies of e-mail and instant messages, and even take screenshots (and
thereby capture passwords or other confidential data)

• Phishing
• Phishing is any deceptive, online attempt by a third party to obtain confidential
information for financial gain. Phishing attacks typically do not involve malicious
code but instead rely on straightforward misrepresentation and fraud, so-called “social
engineering” techniques. One of the most popular phishing attacks is the e-mail scam
letter.
• Thousands of other phishing attacks use other scams, some pretending to be eBay,
PayPal, or Citibank writing to you for account verification (known as spear phishing,
or targeting a known customer of a specific bank or other type of business). Click on a
link in the e-mail and you will be taken to a website controlled by the scammer, and
prompted to enter confidential information about your accounts, such as your account
number and PIN codes.

HACKING, CYBERVANDALISM, AND HACKTIVISM

• A hacker is an individual who intends to gain unauthorized access to a computer
system. Within the hacking community, the term cracker is typically used to denote a
hacker with criminal intent, although in the public press, the terms hacker and cracker
tend to be used interchangeably. Hackers and crackers gain unauthorized access by
finding weaknesses in the security procedures of websites and computer systems,
often taking advantage of various features of the Internet that make it an open system
that is easy to use .
• In the past, hackers and crackers typically were computer aficionados excited by the
challenge of breaking into corporate and government websites. Sometimes they were
satisfied merely by breaking into the files of an e-commerce site.
• Today, hackers have malicious intentions to disrupt, deface, or destroy sites
(cybervandalism) or to steal personal or corporate information they can use for
financial gain (data breach).
 • Hacktivism adds a political twist. Hacktivists typically attack governments,
organizations, and even individuals for political purposes, employing the tactics of
cybervandalism, distributed denial of service attacks, data thefts, and doxing
(gathering and exposing personal information of public figures, typically from emails,
social network posts, and other documents).
• Groups of hackers called tiger teams are sometimes used by corporate security
departments to test their own security measures. By hiring hackers to break into the
system from the outside, the company can identify weaknesses in the computer
system’s armor. These “good hackers” became known as white hats because of their
role in helping organizations locate and fix security flaws.
• In contrast, black hats are hackers who engage in the same kinds of activities but
without pay or any buy-in from the targeted organization, and with the intention of
causing harm. They break into websites and reveal the confidential or proprietary
information they find. These hackers believe strongly that information should be free,
so sharing previously secret information is part of their mission.
• Somewhere in the middle are the grey hats, hackers who believe they are pursuing
some greater good by breaking in and revealing system flaws. Grey hats discover
weaknesses in a system’s security, and then publish the weakness without disrupting
the site or attempting to profit from their finds. Their only reward is the prestige of
discovering the weakness.

DATA BREACHES
• A data breach occurs whenever organizations lose control over corporate
information to outsiders.
• Hackers were the leading cause of data breaches, responsible for almost 40% of
breaches, followed by employee error/negligence (15%), accidental e-mail/Internet
exposure (14%) and insider theft (11%).

IDENTITY FRAUD
• Identity fraud involves the unauthorized use of another person’s personal data, such as
social security, driver’s license, and/or credit card numbers, as well as user names and
passwords, for illegal financial benefit.
• Criminals can use such data to obtain loans, purchase merchandise, or obtain other
services, such as mobile phone or other utility services.
• Cybercriminals employ many of the techniques such as spyware, phishing, data
breaches, and credit card theft, for the purpose of identity fraud. Data breaches, in
particular, often lead to identity fraud.
SPOOFING, PHARMING, AND SPAM (JUNK) WEBSITES
• Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP
address. For instance, a spoofed e-mail will have a forged sender e-mail address designed
to mislead the receiver about who sent the e-mail.
• IP spoofing involves the creation of TCP/IP packets that use someone else’s source IP
address, indicating that the packets are coming from a trusted host. Most current routers
and firewalls can offer protection against IP spoofing.
• Spoofing a website sometimes involves pharming, automatically redirecting a web link
to an address different from the intended one, with the site masquerading as the intended
destination.
• Links that are designed to lead to one site can be reset to send users to a totally unrelated
site—one that benefits the hacker.
• Although spoofing and pharming do not directly damage files or network servers, they
threaten the integrity of a site.
• Spam (junk) websites (also sometimes referred to as link farms) are sites that promise to
offer some product or service, but in fact are just a collection of advertisements for other
sites, some of which contain malicious code.
• For instance, you may search for “[name of town] weather,” and then click on a link that
promises your local weather, but then discover that all the site does is display ads for
weather-related products or other websites.

SNIFFING AND MAN-IN-THE-MIDDLE ATTACKS

• A sniffer is a type of eavesdropping program that monitors information traveling over a
network. When used legitimately, sniffers can help identify potential network trouble-
spots, but when used for criminal purposes, they can be damaging and very difficult
to detect.
• Sniffers enable hackers to steal proprietary information from anywhere on a network,
including passwords, e-mail messages, company files, and confidential reports.
• E-mail wiretaps are a variation on the sniffing threat. An e-mail wiretap is a method for
recording or journaling e-mail traffic generally at the mail server level from any
individual.
• A man-in-the-middle (MitM) attack also involves eavesdropping but is more active than
a sniffing attack, which typically involves passive monitoring.
• In a MitM attack, the attacker is able to intercept communications between two parties
who believe they are directly communicating with one another, when in fact the attacker
is controlling the communications. This allows the attacker to change the contents of the
communication.
DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS)
ATTACKS
• In a Denial of Service (DoS) attack, hackers flood a website with useless pings or page
requests(useless traffic) that overwhelm the site’s web servers.
• Increasingly, DoS attacks involve the use of bot networks and so-called “distributed
attacks” built from thousands of compromised client computers.
• DoS attacks typically cause a website to shut down, making it impossible for users to
access the site.
• A Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of
computers to attack the target network from numerous launch points.
• DoS and DDoS attacks are threats to a system’s operation because they can shut it down
indefinitely.

INSIDER ATTACKS
• Some of the largest disruptions to service, destruction to sites, and diversion of customer
credit data and personal information have come from insiders—once trusted employees.
• Employees have access to privileged information, and, in the presence of sloppy internal
security procedures, they are often able to roam throughout an organization’s systems
without leaving a trace.
• In some instances, the insider might not have criminal intent, but inadvertently exposes
data that can then be exploited by others.
POORLY DESIGNED SOFTWARE
• Many security threats prey on poorly designed software, sometimes in the operating
system and sometimes in the application software, including browsers.
• The increase in complexity and size of software programs, coupled with demands for
timely delivery to markets, has contributed to an increase in software flaws or
vulnerabilities that hackers can exploit.
• For instance, SQL injection attacks take advantage of vulnerabilities in poorly coded
web application software that fails to properly validate or filter data entered by a user on a
web page to introduce malicious program code into a company’s systems and networks.
• Browser vulnerabilities in particular are a popular target, as well as browser plug-ins such
as for Adobe Reader. A zero-day vulnerability is one that has been previously unreported
and for which no patch yet exists.

SOCIAL NETWORK SECURITY ISSUES

• Social networks like Facebook, Twitter, LinkedIn, Pinterest, and Tumblr provide a rich
and rewarding environment for hackers.
• Viruses, site takeovers, identity fraud, malware-loaded apps, click hijacking, phishing,
and spam are all found on social networks.
• Social networks are open: anyone can set up a personal page, even criminals. Most
attacks are social engineering attacks that tempt visitors to click on links that sound
reasonable.
• Social apps downloaded from either the social network or a foreign site are not certified
by the social network to be clean of malware. It’s “clicker beware.”

MOBILE PLATFORM SECURITY ISSUES

• The explosion in mobile devices has broadened opportunities for hackers.
• Mobile users are filling their devices with personal and financial information, and using
them to conduct an increasing number of transactions, from retail purchases to mobile
banking, making them excellent targets for hackers.
• In general, mobile devices face all the same risks as any Internet device as well as some
new risks associated with wireless network security.
• Vishing attacks target cell phone users with verbal messages to call a certain number and,
for example, donate money to starving children in Haiti.
• Smishing attacks exploit SMS/text messages. Compromised text messages can contain e-
mail and website addresses that can lead the innocent user to a malware site.
• Madware—innocent-looking apps that contain adware that launches pop-up ads and text
messages on your mobile device—is also becoming an increasing problem.
4.4 Tools available to achieve site security
• Reviewing the security threats, it is clear that the threats to e-commerce are very real,
widespread, global, potentially devastating for individuals, businesses, and entire nations,
and likely to be increasing in intensity along with the growth in e-commerce and the
continued expansion of the Internet.
• But in fact a great deal of progress has been made by private security firms, corporate and
home users, network administrators, technology firms, and government agencies.
• There are two lines of defense: technology solutions and policy solutions.

PROTECTING INTERNET COMMUNICATIONS

• Because e-commerce transactions must flow over the public Internet, and therefore
involve thousands of routers and servers through which the transaction packets flow,
security experts believe the greatest security threats occur at the level of Internet
communications.
• This is very different from a private network where a dedicated communication line is
established between two parties.
• A number of tools are available to protect the security of Internet communications, the
most basic of which is message encryption.
i. ENCRYPTION
• Encryption is the process of transforming plain text or data into cipher text that cannot be
read by anyone other than the sender and the receiver.
• The purpose of encryption is (a) to secure stored information and (b) to secure
information transmission.
• Encryption can provide four of the six key dimensions of e-commerce security:
o Message integrity—provides assurance that the message has not been altered.
o Nonrepudiation—prevents the user from denying he or she sent the message.
o Authentication—provides verification of the identity of the person (or computer)
sending the message.
o Confidentiality—gives assurance that the message was not read by others.
• This transformation of plain text to cipher text is accomplished by using a key or cipher.
A key (or cipher) is any method for transforming plain text to cipher text.
• In a substitution cipher, every occurrence of a given letter is replaced systematically by
another letter. For instance, if we used the cipher “letter plus two”—meaning replace
every letter in a word with a new letter two places forward—then the word “Hello” in
plain text would be transformed into the following cipher text: “JGNNQ.”
• In a transposition cipher, the ordering of the letters in each word is changed in some
systematic way.
• Symmetric Key encryption
o In order to decipher (decrypt) these messages, the receiver would have to know
the secret cipher that was used to encrypt the plain text. This is called symmetric
key cryptography or secret key cryptography. In symmetric key cryptography,
both the sender and the receiver use the same key to encrypt and decrypt the
message.
o The strength of modern security protection is measured in terms of the length of
the binary key used to encrypt the data.
o The Data Encryption Standard (DES) was developed by the National Security
Agency (NSA) and IBM in the 1950s. DES uses a 56-bit encryption key. To cope
with much faster computers, it has been improved by the Triple DES Encryption
Algorithm (TDEA)—essentially encrypting the message three times, each with a
separate key.
o Today, the most widely used symmetric key algorithm is Advanced Encryption
Standard (AES), which offers key sizes of 128, 192, and 256 bits.
• Public Key Cryptography
o In 1976, a new way of encrypting messages called public key cryptography was
invented by Whitfield Diffie and Martin Hellman. Public key cryptography (also
referred to as asymmetric cryptography) solves the problem of exchanging keys.
o In this method, two mathematically related digital keys are used: a public key and
a private key.
o The private key is kept secret by the owner, and the public key is widely
disseminated. Both keys can be used to encrypt and decrypt a message. However,
once the keys are used to encrypt a message, the same key cannot be used to
unencrypt the message.
• Public Key Cryptography Using Digital Signatures and Hash Digests
o In public key cryptography, some elements of security are missing. Although we
can be quite sure the message was not understood or read by a third party
(message confidentiality), there is no guarantee the sender really is the sender; that
is, there is no authentication of the sender.
o To check the integrity of a message and ensure it has not been altered in transit, a
hash function is used first to create a digest of the message.
o The sender creates an original message.
o The sender applies a hash function, producing a 128-bit hash result.
o The sender encrypts the message and hash result using the recipient’s public key.
o The sender encrypts the result, again using his or her private key.
o The sender’s private key is a digital signature. There is only one person who can
create this digital mark.
o The result of this double encryption is sent over the Internet.
o The receiver uses the sender’s public key to authenticate the message.
o The receiver uses his or her private key to decrypt the hash function and the
original message. The receiver checks to ensure the original message and the hash
function results conform to one another.
• Digital Envelopes
o Public key cryptography is computationally slow. If one used 128- or 256-bit keys
to encode large documents-significant declines in transmission speeds and
increases in processing time would occur.
o Symmetric key cryptography is computationally faster, but the symmetric key
must be sent to the recipient over insecure transmission lines.
o One solution is to use the more efficient symmetric encryption and decryption for
large documents, but public key cryptography to encrypt and send the symmetric
key. This technique is called using a digital envelope.
• Digital Certificates and Public Key Infrastructure (PKI)
o Digital certificates, and the supporting public key infrastructure, are an attempt to
solve the problem of digital identity of people and institutions.
o A digital certificate is a digital document issued by a trusted third-party
institution known as a certification authority (CA) that contains the name of the
subject or company, the subject’s public key, a digital certificate serial number, an
expiration date, an issuance date, the digital signature of the certification authority
(the name of the CA encrypted using the CA’s private key), and other identifying
information.
o Public key infrastructure (PKI) refers to the CAs and digital certificate
procedures that are accepted by all parties.
o To create a digital certificate, the user generates a public/private key pair and
sends a request for certification to a CA along with the user’s public key. The CA
verifies the information and issues a certificate containing the user’s public key
and other related information.
o Finally, the CA creates a message digest from the certificate itself (just like a hash
digest) and signs it with the CA’s private key. This signed digest is called the
signed certificate.
o We end up with a totally unique cipher text document—there can be only one
signed certificate like this in the world.
o Pretty Good Privacy (PGP) was invented in 1991 by Phil Zimmerman, and has
become one of the most widely used e-mail public key encryption software tools
in the world. Using PGP software installed on your computer, you can compress
and encrypt your messages as well as authenticate both yourself and the recipient.
 ii. SECURING CHANNELS OF COMMUNICATION
The concepts of public key cryptography are used routinely for securing channels of
communication
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
o The most common form of securing channels is through the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols.
o SSL/TLS establishes a secure negotiated session. A secure negotiated session is
a client server session in which the URL of the requested document, along with
the contents, contents of forms, and the cookies exchanged, are encrypted.
o A session key is a unique symmetric encryption key chosen just for this single
secure session. Once used, it is gone forever
o SSL/TLS provides data encryption, server authentication, optional client
authentication, and message integrity for TCP/IP connections. SSL/TLS addresses
the issue of authenticity by allowing users to verify another user’s identity or the
identity of a server. It also protects the integrity of the messages exchanged.
• Virtual Private Networks (VPNs)
o A virtual private network (VPN) allows remote users to securely access a
corporation’s local area network via the Internet, using a variety of VPN
protocols.
o VPNs use both authentication and encryption to secure information from
unauthorized persons (providing confidentiality and integrity).
o Authentication prevents spoofing and misrepresentation of identities.
o The VPN protocols will establish the link from the client to the corporate network
as if the user had dialed into the corporate network directly.
o The process of connecting one protocol through another (IP) is called tunneling,
because the VPN creates a private connection by adding an invisible wrapper
around a message to hide its content.
o The primary use of VPNs is to establish secure communications among business
partners—larger suppliers or customers, and employees working remotely.
• Wireless (Wi-Fi) Networks
o Accessing the Internet via a wireless (Wi-Fi) network has its own particular
security issues.
o Early Wi-Fi networks used a security standard called Wired Equivalent Privacy
(WEP) to encrypt information. WEP was very weak, and easy for hackers to
crack.
o A new standard, Wi-Fi Protected Access (WPA), was developed that provided a
higher standard of protection, but this too soon became vulnerable to intrusion.
o Today, the current standard is WPA2, which uses the AES algorithm for
encryption and CCMP, a more advanced authentication code protocol.
iii. PROTECTING NETWORKS
Once you have protected communications as well as possible, the next set of tools to consider
are those that can protect your networks, as well as the servers and clients on those networks
• Firewalls
o Firewalls and proxy servers are intended to build a wall around your network and
the attached servers and clients, just like physical-world firewalls protect you from
fires for a limited period of time.
o A firewall refers to either hardware or software that filters communication packets
and prevents some packets from entering or exiting the network based on a
security policy.
 o The firewall controls traffic to and from servers and clients, forbidding
communications from untrustworthy sources, and allowing other communications
from trusted sources to proceed.
o Every message that is to be sent or received from the network is processed by the
firewall, which determines if the message meets security guidelines established by
the business. If it does, it is permitted to be distributed, and if it doesn’t, the
message is blocked.
o Firewalls can filter traffic based on packet attributes such as source IP address,
destination port or IP address, type of service (such as WWW or HTTP), the
domain name of the source, and many other dimensions.
o There are two major methods firewalls use to validate traffic: packet filters and
application gateways.
o Packet filters examine data packets to determine whether they are destined for a
prohibited port or originate from a prohibited IP address.
o Application gateways are a type of firewall that filters communications based on
the application being requested, rather than the source or destination of the
message.
o Next-generation firewalls use an application-centric approach to firewall control.
They are able to identify applications regardless of the port, protocol, or security
evasion tools used; identify users regardless of device or IP address; decrypt
outbound SSL; and protect in real-time against threats embedded in applications.
• Proxy Servers
o Proxy servers (proxies) are software servers that handle all communications
originating from or being sent to the Internet by local clients, acting as a
spokesperson or bodyguard for the organization.
o Proxies act primarily to limit access of internal clients to external Internet servers,
although some proxy servers act as firewalls as well.
o Proxy servers are sometimes called dual-home systems because they have two
network interfaces.
o To internal computers, a proxy server is known as the gateway, while to external
computers it is known as a mail server or numeric address.
o When a user on an internal network requests a web page, the request is routed first
to the proxy server. The proxy server validates the user and the nature of the
request, and then sends the request onto the Internet. A web page sent by an
external Internet server first passes to the proxy server. If acceptable, the web
page passes onto the internal network web server and then to the client desktop.
o Proxy servers also improve web performance by storing frequently requested web
pages locally, reducing upload times, and hiding the internal network’s address,
thus making it more difficult for hackers to monitor.
• Intrusion Detection and Prevention Systems
o An intrusion detection system (IDS) examines network traffic, watching to see
if it matches certain patterns or preconfigured rules indicative of an attack.
o If it detects suspicious activity, the IDS will set off an alarm alerting
administrators and log the event in a database.
o An IDS is useful for detecting malicious activity that a firewall might miss.
o An intrusion prevention system (IPS) has all the functionality of an IDS, with
the additional ability to take steps to prevent and block suspicious activities.
For instance, an IPS can terminate a session and reset a connection, block
traffic from a suspicious IP address, or reconfigure firewall or router security
controls.
iv. PROTECTING SERVERS AND CLIENTS
• Operating system features and anti-virus software can help further protect servers and
clients from certain types of attacks.
• Operating System Security Enhancements
o The most obvious way to protect servers and clients is to take advantage of
automatic computer security upgrades.
o The Microsoft, Apple, and Linux/Unix operating systems are continuously
updated to patch vulnerabilities discovered by hackers.
o These patches are autonomic; that is, when using these operating systems on
the Internet, you are prompted and informed that operating system
enhancements are available.
o Users can easily download these security patches for free. The most common
known worms and viruses can be prevented by simply keeping the server and
client operating systems and applications up to date.
• Anti-Virus Software
o The easiest and least-expensive way to prevent threats to system integrity is to
install anti-virus software.
 o Programs by Malwarebytes, McAfee, Symantec (Norton AntiVirus), and
many others provide inexpensive tools to identify and eradicate the most
common types of malicious code as they enter a computer, as well as destroy
those already lurking on a hard drive.
o Anti-virus programs can be set up so that e-mail attachments are inspected
before you click on them, and the attachments are eliminated if they contain a
known virus or worm.
o Anti-virus suite packages and stand-alone programs are available to eliminate
intruders such as bot programs, adware, and other security risks. Such
programs work much like anti-virus software in that they look for recognized
hacker tools or signature actions of known intruders.

4.5 Developing an e-commerce security plan

The five steps in developing an e-commerce security plan are:

1. Perform a risk assessment:
First, an inventory of the information and knowledge assets of a company is taken, and a
dollar value amount is placed on each asset. Then, this amount is multiplied by the estimated
probability that the information could be compromised. This computation is used to produce
a ranked list of the information assets of the firm prioritized by their value.
2. Develop a security policy:
A set of statements should be developed that prioritizes the information risks, identifies
acceptable risk targets, and sets out the goals for achieving these targets. Included in the
security policy should be a list of the personnel who are or will be entrusted with the
information assets. It should also include a description of the security policies that presently
exist for these assets and suggestions for improvements. Finally, it should outline the level of
risk the firm is willing to accept for each asset, and the estimated cost to achieve this level of
acceptable risk.

3. Develop an implementation plan:

The actions that must be taken to achieve the security plan goals must be set out. The tools,
technologies, policies, and procedures needed to achieve acceptable levels of risk must be
developed.

4. Create a security organization:

A security organization must be established that will train users and keep management
apprised of the security threats and breakdowns. The access controls that will determine who
can gain legitimate access to the firm’s networks and the authentication procedures that will
be used to protect data from intruders must be determined. Authorization policies must also
be established for the differing levels of access to information assets for different users.
5. Perform a security audit:
A security audit must be conducted to identify how outsiders are using the site and how
insiders are accessing the site’s assets. A monthly report should be generated that will
establish the routine and nonroutine accesses to the system and identify any unusual patterns.

4.6 E-COMMERCE PAYMENT SYSTEMS

For the most part, existing payment mechanisms such as cash, credit cards, debit cards,
checking accounts, and stored value accounts have been able to be adapted to the online
environment, albeit with some significant limitations that have led to efforts to develop
alternatives. In addition, new types of purchasing relationships, such as between individuals
online, and new technologies, such as the development of the mobile platform, have also
created both a need and an opportunity for the development of new payment systems. In this
section, we provide an overview of the major e-commerce payment systems.

ONLINE CREDIT CARD TRANSACTIONS

Online credit card transactions are processed in much the same way that in-store purchases
are, with the major differences being that online merchants never see the actual card being
used, no card impression is taken, and no signature is available. Online credit card
transactions most closely resemble Mail Order-Telephone Order (MOTO) transactions. These
types of purchases are also called Cardholder Not Present (CNP) transactions and are the
major reason that charges can be disputed later by consumers. Because the merchant never
sees the credit card, nor receives a hand-signed agreement to pay from the customer, when
disputes arise, the merchant faces the risk that the transaction may be disallowed and
reversed, even though he has already shipped the goods or the user has downloaded a digital
product.

Credit Card E-commerce Enablers

Companies that have a merchant account still need to buy or build a means of handling the
online transaction; securing the merchant account is only step one in a two-part process.
Today, Internet payment service providers can provide both a merchant account and the
software tools needed to process credit card purchases online.The company helps a merchant
secure an account with one of its merchant account provider partners and then provides
payment processing software for installation on the merchant’s server. The software collects
the transaction information from the merchant’s site and then routes it via “payment
gateway” to the appropriate bank, ensuring that customers are authorized to make their
purchases. The funds for the transaction are then transferred to the merchant’s merchant
account. CyberSource is another well-known Internet payment service provider.

PCI-DSS Compliance
The PCI-DSS (Payment Card Industry-Data Security Standard) is a data security standard
instituted by the five major credit card companies (Visa, MasterCard, American Express,
Discover, and JCB). PCI-DSS is not a law or governmental regulation,but an industry-
mandated standard. Every online merchant must comply with the appropriate level of PCI-
DSS in order to accept credit card payments. Those that fail to comply and are involved in a
credit card breach may ultimately be subjected to fines and other expenses. PCI-DSS has
various levels, related to the number of credit and/or debit cards processed by the merchant
each year. Level 1, the strictest level, applies to very large merchants that process more than
6 million transactions a year, while Level 2 applies to those who process between 1 million
and 6 million. Level 3 applies to organizations that process between 20,000 and 1 million
transactions, while Level 4 applies to smaller merchants that process less than 20,000
transactions. PCI-DSS has six major control objectives. It requires the merchant to (a) build
and maintain a secure network, (b) protect cardholder data, (c) maintain a vulnerability
management program, (d) implement strong access control measures, (e) regularly test and
monitor networks, and (f) maintain an information security policy.

Limitations of Online Credit Card Payment Systems

There are a number of limitations to the existing credit card payment system. The most
important limitations involve security, merchant risk, administrative and transaction costs,
and social equity.
• The existing system offers poor security. Neither the merchant nor the consumer can
be fully authenticated. The merchant could be a criminal organization designed to
collect credit card numbers, and the consumer could be a thief using stolen or
fraudulent cards.
• The risk facing merchants is high: consumers can repudiate charges even though the
goods have been shipped or the product downloaded. The banking industry attempted
to develop a secure electronic transaction (SET) protocol, but this effort failed
because it was too complex for consumers and merchants alike. As banks switch to
EMV cards with computer chips, offline credit card fraud becomes more difficult,
encouraging criminals to focus on online fraud.
• The administrative costs of setting up an online credit card system and becoming
authorized to accept credit cards are high.
• Transaction costs for merchants also are significant—roughly 3% of the purchase plus
a transaction fee of 20–35 cents per transaction, plus other setup fees.
• Credit cards are not very democratic, even though they seem ubiquitous. Millions of
young adults do not have credit cards, along with almost 100 million other adult
Americans who cannot afford cards or who are considered poor risks because of low
incomes.

4.7 ALTERNATIVE ONLINE PAYMENT SYSTEMS

The limitations of the online credit card system have opened the way for the development
of a number of alternative online payment systems.
• PayPal enables individuals and businesses with e-mail accounts to make and receive
payments up to a specified limit. Paypal is an example of an online stored value
payment system, which permits consumers to make online payments to merchants
and other individuals using their bank account or credit/debit cards. PayPal builds on
the existing financial infrastructure of the countries in which it operates. You establish
a PayPal account by specifying a credit, debit, or checking account you wish to have
charged or paid when conducting online transactions. When you make a payment
using PayPal, you e-mail the payment to the merchant’s PayPal account. PayPal
transfers the amount from your credit or checking account to the merchant’s bank
account. The beauty of PayPal is that no personal credit information has to be shared
among the users, and the service can be used by individuals to pay one another even
in small amounts. However, one issue with PayPal is its relatively high cost.
• Pay with Amazon is aimed at consumers who have concerns about entrusting their
credit card information to unfamiliar online retailers. Consumers can purchase goods
and services at non-Amazon websites using the payment methods stored in their
Amazon accounts, without having to reenter their payment information at the
 merchant’s site. Amazon provides the payment processing. Visa Checkout and
MasterCard’s MasterPass substitute a user name and password for an actual payment
card number during online checkout.
• Bill Me Later (owned by PayPal as well) also appeals to consumers who do not wish
to enter their credit card information online. Bill Me Later describes itself as an open-
ended credit account. Users select the Bill Me Later option at checkout and are asked
to provide their birth date and the last four digits of their social security number. They
are then billed for the purchase by Bill Me Later within 10 to 14 days.
• WU Pay (formerly eBillme, and now operated by Western Union) offers a similar
service. WU Pay customers who select the WU Pay option at firms such as
Sears,Kmart, and other retailers do not have to provide any credit card information.
Instead they are e-mailed a bill, which they can pay via their bank’s online bill
payment service, or in person at any Western Union location.
• Dwolla is a similar cash-based payment network for both individuals and merchants.
It bypasses the credit card network and instead connects directly into a bank account.
In 2015, Dwolla eliminated its transaction and processing fees, changing its focus
from consumer-to-consumer payments to larger businesses.
• Stripe is another company that is attempting to provide an alternative to the traditional
online credit card system. Stripe focuses on the merchant side of the process. It
provides simple software code that enables companies to bypass much of the
administrative costs involved in setting up an online credit card system, and instead
lets companies begin accepting credit card payments almost immediately without the
need to obtain a merchant account or use a gateway provider.