电子商务英文版课件ec13-ch05-accessible

1、E-Commerce 2017: Business. Technology. Society.Thirteenth EditionChapter 5E-Commerce Security and Payment SystemsE-Commerce 2017: Business. TecLearning Objectives5.1 Understand the scope of e-commerce crime and security problems, the key dimensions of e-commerce security, and the tension between sec

2、urity and other values.5.2 Identify the key security threats in the e-commerce environment.5.3 Describe how technology helps secure Internet communications channels and protect networks, servers, and clients.5.4 Appreciate the importance of policies, procedures, and laws in creating security.5.5 Ide

3、ntify the major e-commerce payment systems in use today.5.6 Describe the features and functionality of electronic billing presentment and payment systems.Learning Objectives5.1 UnderstCyberwar: M A D 2.0Class DiscussionWhat is the difference between hacking and cyberwar? Why has cyberwar become pote

4、ntially more devastating in the past decade?Is it possible to find a political solution to M A D 2.0?What damage can be done by cyberweapons like Flame and Snake?Cyberwar: M A D 2.0Class DiscuThe E-Commerce Security EnvironmentOverall size and losses of cybercrime unclearReporting issues2016 survey:

5、 Average total cost of data breach to U.S. corporations was $4 millionLow-cost web attack kitsOnline credit card fraudUnderground economy marketplaceThe E-Commerce Security EnviroWhat Is Good E-Commerce Security?To achieve highest degree of securityNew technologiesOrganizational policies and procedu

6、resIndustry standards and government lawsOther factorsTime value of moneyCost of security vs. potential lossSecurity often breaks at weakest linkWhat Is Good E-Commerce SecuriFigure 5.1 The E-Commerce Security EnvironmentFigure 5.1 The E-Commerce SecuTable 5.3 Customer and Merchant Perspectives on t

7、he Different Dimensions of E-Commerce Security (1 of 2)DimensionCustomers PerspectiveMerchants PerspectiveIntegrityHas information I transmitted orreceived been altered?Has data on the site been altered without authorization? Is data being received from customers valid?NonrepudiationCan a party to a

8、n action with me later deny taking the action?Can a customer deny ordering products?AuthenticityWho am I dealing with? How can I be assured that the person or entity is who they claim to be?What is the real identity of the customer?Table 5.3 Customer and MerchanTable 5.3 Customer and Merchant Perspe

9、ctives on the Different Dimensions of E-Commerce Security (2 of 2)DimensionCustomers PerspectiveMerchants PerspectiveConfidentialityCan someone other than the intended recipient read my messages?Are messages or confidential data accessible to anyone other than those authorized to view them?PrivacyCa

10、n I control the use of information about myself transmitted to ane-commerce merchant?What use, if any, can be made of personal data collected as part of an e-commerce transaction? Is the personal information of customers being used in an unauthorized manner?AvailabilityCan I get access to the site?I

11、s the site operational?Table 5.3 Customer and MerchanThe Tension Between Security and Other ValuesEase of useThe more security measures added, the more difficult a site is to use, and the slower it becomesPublic safety and criminal uses of the InternetUse of technology by criminals to plan crimes or

12、 threaten nation-stateThe Tension Between Security aSecurity Threats in the E-Commerce EnvironmentThree key points of vulnerability in e-commerce environment:ClientServerCommunications pipeline (Internet communications channels)Security Threats in the E-CommFigure 5.2 A Typical E-Commerce Transactio

13、nFigure 5.2 A Typical E-CommercFigure 5.3 Vulnerable Points in an E-Commerce TransactionFigure 5.3 Vulnerable Points iMalicious CodeExploits and exploit kitsMaladvertisingDrive-by downloadsVirusesWormsRansomware (scareware)Trojan horsesBackdoorsBots, botnetsMalicious CodeExploits and expPotentially

14、Unwanted ProgramsBrowser parasitesMonitor and change users browserAdwareUsed to call pop-up adsSpywareTracks users keystrokes, e-mails, I M s, etc.Potentially Unwanted ProgramsBPhishingAny deceptive, online attempt by a third party to obtain confidential information for financial gainTacticsSocial e

15、ngineeringE-mail scamsSpear phishingUsed for identity fraud and theftPhishingAny deceptive, online Hacking, Cybervandalism, and HacktivismHackingHackers vs. crackersWhite hats, black hats, grey hatsTiger teamsGoals: cybervandalism, data breachesCybervandalism:Disrupting, defacing, destroying website

16、HacktivismHacking, Cybervandalism, and HData BreachesWhen organizations lose control over corporate information to outsidersNine mega-breaches in 2015Leading causesHackingEmployee error/negligenceAccidental e-mail/Internet exposureInsider theftData BreachesWhen organizationInsight on Society: The As

17、hley Madison Data BreachClass DiscussionWhat organizational and technological failures led to the data breach at Ashley Madison?What technical solutions are available to combat data breaches?Have you or anyone you know experienced a data breach?Insight on Society: The AshleyCredit Card Fraud/TheftSt

18、olen credit card incidences about 0.8% of all online card transactionsHacking and looting of corporate servers is primary causeCentral security issue: establishing customer identityE-signaturesMulti-factor authenticationFingerprint identificationCredit Card Fraud/TheftStolen Identity Fraud/TheftUnau

19、thorized use of another persons personal data for illegal financial benefitSocial security numberDrivers licenseCredit card numbersUsernames/passwords2015: 13 million U.S. consumers suffered identity fraudIdentity Fraud/TheftUnauthorizSpoofing, Pharming, and Spam (Junk) WebsitesSpoofingAttempting to

20、 hide true identity by using someone elses e-mail or I P addressPharmingAutomatically redirecting a web link to a different address, to benefit the hackerSpam (junk) websitesOffer collection of advertisements for other sites, which may contain malicious codeSpoofing, Pharming, and Spam (Sniffing and

21、 Man-In-The-Middle AttacksSnifferEavesdropping program monitoring networksCan identify network trouble spotsCan be used by criminals to steal proprietary informationE-mail wiretapsRecording e-mails at the mail server levelMan-in-the-middle attackAttacker intercepts and changes communication between

22、two parties who believe they are communicating directlySniffing and Man-In-The-MiddleDenial of Service (D o S) and Distributed Denial of Service (D D o S) AttacksDenial of service (D o S) attackFlooding website with pings and page requestsOverwhelm and can shut down sites web serversOften accompanie

23、d by blackmail attemptsBotnetsDistributed Denial of Service (D D o S) attackUses hundreds or thousands of computers to attack target networkCan use devices from Internet of Things, mobile devicesD D o S smokescreeningDenial of Service (D o S) and Insider AttacksLargest threat to business institution

24、s come from insider embezzlementEmployee access to privileged informationPoor security proceduresInsiders more likely to be source of cyberattacks than outsidersInsider AttacksLargest threat Poorly Designed SoftwareIncrease in complexity of and demand for software has led to increase in flaws and vu

25、lnerabilitiesS Q L injection attacksZero-day vulnerabilityHeartbleed bugPoorly Designed SoftwareIncreaSocial Network Security IssuesSocial networks an environment for: Viruses, site takeovers, identity fraud, malware-loaded apps, click hijacking, phishing, spamManual sharing scamsSharing of files th

26、at link to malicious sitesFake offerings, fake Like buttons, and fake appsSocial Network Security IssuesMobile Platform Security IssuesLittle public awareness of mobile device vulnerabilities2015 survey: 3 million apps of 10 million are malwareVishingSmishingS M S spoofingMadwareMobile Platform Secu

27、rity IssueInsight on Technology: Think Your Smartphone Is Secure?Class DiscussionWhich mobile operating system do you think is more secure Apples i O S or Googles Android?What steps, if any, do you take to make your smartphone more secure?What qualities of apps make them a vulnerable security point

28、in smartphone use?Insight on Technology: Think YCloud Security IssuesD D o S attacksInfrastructure scanningLower-tech phishing attacks yield passwords and accessUse of cloud storage to connect linked accountsLack of encryption and strong security proceduresCloud Security IssuesD D o S aInternet of T

29、hings Security IssuesChallenging environment to protectVast quantity of interconnected linksNear identical devices with long service livesMany devices have no upgrade featuresLittle visibility into workings, data, or securityInternet of Things Security IsTechnology SolutionsProtecting Internet commu

30、nicationsEncryptionSecuring channels of communicationS S L, T L S, V P N s, Wi-Fi Protecting networksFirewalls, proxy servers, I D S, I P SProtecting servers and clients O S security, anti-virus softwareTechnology SolutionsProtectingFigure 5.5 Tools Available to Achieve Site SecurityFigure 5.5 Tools

31、 Available to EncryptionTransforms data into cipher text readable only by sender and receiverSecures stored information and information transmissionProvides 4 of 6 key dimensions of e-commerce security: Message integrityNonrepudiationAuthenticationConfidentialityEncryptionTransforms data intoSymmetr

32、ic Key CryptographySender and receiver use same digital key to encrypt and decrypt messageRequires different set of keys for each transactionStrength of encryption: Length of binary key Data Encryption Standard (D E S)Advanced Encryption Standard (A E S)Other standards use keys with up to 2,048 bits

33、Symmetric Key CryptographySendPublic Key CryptographyUses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)Both keys used to encrypt and decrypt messageOnce key used to encrypt message, same key cannot be used to decrypt messageSender uses re

34、cipients public key to encrypt message; recipient uses private key to decrypt itPublic Key CryptographyUses twFigure 5.6 Public Key Cryptography: A Simple CaseFigure 5.6 Public Key CryptogrPublic Key Cryptography Using Digital Signatures and Hash DigestsSender applies a mathematical algorithm (hash

35、function) to a message and then encrypts the message and hash result with recipients public keySender then encrypts the message and hash result with senders private keycreating digital signaturefor authenticity, nonrepudiation Recipient first uses senders public key to authenticate message and then

36、the recipients private key to decrypt the hash result and messagePublic Key Cryptography Using Figure 5.7 Public Key Cryptography with Digital SignaturesFigure 5.7 Public Key CryptogrDigital EnvelopesAddress weaknesses of:Public key cryptographyComputationally slow, decreased transmission speed, inc

37、reased processing timeSymmetric key cryptographyInsecure transmission linesUses symmetric key cryptography to encrypt document Uses public key cryptography to encrypt and send symmetric keyDigital EnvelopesAddress weaknFigure 5.8 Creating a Digital EnvelopeFigure 5.8 Creating a Digital Digital Certi

38、ficates and Public Key Infrastructure (P K I)Digital certificate includes:Name of subject/companySubjects public keyDigital certificate serial numberExpiration date, issuance dateDigital signature of C APublic Key Infrastructure (P K I): CAs and digital certificate proceduresP G PDigital Certificate

39、s and PubliFigure 5.9 Digital Certificates and Certification AuthoritiesFigure 5.9 Digital CertificateLimitations of P K IDoes not protect storage of private keyP K I not effective against insiders, employeesProtection of private keys by individuals may be haphazardNo guarantee that verifying comput

40、er of merchant is secureC A s are unregulated, self-selecting organizationsLimitations of P K IDoes not pSecuring Channels of CommunicationSecure Sockets Layer (S S L)/Transport Layer Security (T L S) Establishes secure, negotiated clientserver sessionVirtual Private Network (V P N) Allows remote us

41、ers to securely access internal network via the InternetWireless (Wi-Fi) networksW P A2Securing Channels of CommunicaFigure 5.10 Secure Negotiated Sessions Using S S L/T L SFigure 5.10 Secure Negotiated Protecting NetworksFirewallHardware or software that uses security policy to filter packetsPacket

42、 filtersApplication gatewaysNext-generation firewallsProxy servers (proxies)Software servers that handle all communications from or sent to the InternetIntrusion detection systemsIntrusion prevention systemsProtecting NetworksFirewallFigure 5.11 Firewalls and Proxy ServersFigure 5.11 Firewalls and P

43、roxProtecting Servers and ClientsOperating system security enhancementsUpgrades, patchesAnti-virus software Easiest and least expensive way to prevent threats to system integrityRequires daily updatesProtecting Servers and ClientsManagement Policies, Business Procedures, and Public LawsWorldwide, co

44、mpanies spend more than $81 billion on security hardware, software, servicesManaging risk includes:TechnologyEffective management policiesPublic laws and active enforcementManagement Policies, Business A Security Plan: Management PoliciesRisk assessmentSecurity policyImplementation planSecurity orga

45、nizationAccess controlsAuthentication procedures, including biometricsAuthorization policies, authorization management systemsSecurity auditA Security Plan: Management PoFigure 5.12 Developing an E-Commerce Security PlanFigure 5.12 Developing an E-CoThe Role of Laws and Public PolicyLaws that give a

46、uthorities tools for identifying, tracing, prosecuting cybercriminals:U S A Patriot ActHomeland Security ActPrivate and private-public cooperationU S-C E R TC E R T Coordination CenterGovernment policies and controls on encryption softwareO E C D, G7/G8, Council of Europe, Wassener ArrangementThe Ro

47、le of Laws and Public PoE-Commerce Payment SystemsIn U.S., credit and debit cards are primary online payment methodsOther countries have different systems Online credit card purchasing cycleCredit card e-commerce enablersLimitations of online credit card paymentSecurity, merchant riskCostSocial equityE-Commerce Payment SystemsIn UFigure 5.14 How an Online Credit Transaction WorksFigure 5.14 How an Online CredAlternat