Transcript Electronic Payments

Matakuliah
Tahun
Versi
: F0662/ Web Based Accounting
: 2005
: 1/0
Pertemuan 6
eBusiness Security and Controls
Systems
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Menjelaskan potensi resiko dan sistem
pengendalian intern yang seharusnya ada (TIK-6)
• Type threats and attacks (TIK-6)
2
Outline Materi
• Materi 1 Menjelaskan potensi resiko dan
sistem pengendalian intern yang seharusnya
ada.
• Materi 2 Type threats and attacks (TIK-6)
3
Internet Security and
Electronic Payment
Services
4
Internet Security
Firewalls
•Intranets
•Extranets
Secure Transmission
•SSL
•Digital Certificates
•Digital Signatures
Electronic Payments
5
Typical Computer Network
Security Problems
•
•
•
•
Network transmissions can be intercepted
No proof of sender
Data Integrity
Non-repudiation
6
Firewalls
• Are systems that establish control policies
among networks.
• They can permit different users to perform
different operations according to their
authorisation.
• Two general types
– Packet Level firewalls
– Application Level Firewalls
7
Firewalls
8
Firewalls
LAN with individual
internet access
Internet
9
Firewalls
firewall
Internet
LAN With Internet access
through a firewall
10
Intranets
• A private network within a business used to
share company information and computing
resources among employees
• A client-server application use TCP/IP, HTTP
communication protocols and HTML publishing
• May consist of interlinked local area networks,
also use leased lines in the wide area network
• Typically includes connections through one or
more gateway computers to the outside
Internet
11
Intranets
12
Extranets
• Part of an enterprise's Intranet extended to
users outside the company
• A private network for suppliers, vendors,
partners and customers rather than the
general public
• Uses the Internet for transmission but
needs passwords for access
13
Extranets
14
Secure Transmission
Who can read my E-Mail?
LAN
15
Private Key Encryption
16
Public Key Encryption
17
Secure Transmission
• Secure Transmission
• PGP (Pretty Good Privacy)
Message Integrity
• SSL
• Provides data authentication, message integrity, and optional
client authentication.
• Digital Certificate
• Authentication
• Digital Signature
18
Secure Transmission SSL
• encrypts and then decrypts any packets of
information being transmitted.
• essential for sensitive corporate data or
financial transactions.
• May not authenticate the receiver of
encrypted data.
• Is currently implemented on
– Netscape navigator
– Internet Explorer
• Uses the widely used RSA public key
cryptography
19
Secure Transmission Digital
Certificates
• contains :
– your name,
– a serial number,
– expiration dates,
– a copy of the certificate holder's public key
(used for decrypting messages and digital
signatures), and
– the digital signature of the certificate-issuing
authority (a digital Passport)
Morley E (October 12, 1999) digital certificate http://whatis.com/
20
Secure Transmission Digital
Certificates
• can be kept in registries so that
authenticated users can look up other
users' public keys
Morley E (October 12, 1999) digital certificate http://whatis.com/
21
Secure Transmission 6
Without a Digital
Certificate
?
22
Secure Transmission 7
With a Digital Certificate
!
23
Secure Transmission
Digital Signature
• authenticate the identity of the sender
• the receiver can check that the message or
document being sent is unchanged
• can be automatically time-stamped
• can be used with encrypted or normal
messages
• can also used be with digital certificates
24
Secure Transmission
(summary)
Security
Technology
What it does
Effectiveness and Limitations
Firewall
Authorizes access.
Filters/rejects users based
on access rights on server
Authorizes access, but cannot authenticate
identity of user.
Password based, so open to many associated
problems.
Digital
Certificate
Authenticates identity of
user
Certificates are vulnerable to system crash or
deletion.
Can be compromised if computer stolen.
Cannot stop certificate and key being shared.
Encryption /
SSL
Protects data
confidentiality
Only encrypts data. Does not authenticate.
Encryption is compromised by using passwords
or certificates.
25
Electronic and Digital
Signatures
• From a legal point of view, hand writing one’s
name on paper has been the principle means of
signature for centuries.
• In today's electronic world the legal concept of a
signature could include:
– Digitised images of paper signatures.
– Typed notations.
– Letterheads or e-mail origination headers.
26
Electronic and Digital
Signatures
• However there is a difference between these
types of electronic signatures and digital
signatures.
27
Electronic Signature
Definition
• DEFINITION OF ELECTRONIC SIGNATURE:
• Sec. 4(4). Electronic signature.-- The term "electronic
signature'' means an electronic sound, symbol, or
process, attached to or logically associated with a
(contract or other) record and executed or adopted by a
person with the intent to sign the record.
28
Electronic Transactions
• The digital signature is revolutionizing ecommerce and corporate document
management systems.
• Legislative bodies nationwide and internationally
are rewriting the definition of "signature" to
include electronic signatures, and passing laws
and regulations to accommodate electronic
signatures on legal documents and in filings.
Utah Digital Signatures Act.
• Singapore : Electronic Transactions act (Act25 of 1998).
29
Digital Signature Technology
• Digital signatures are created and verified by means of
cryptography.
• Two different keys are generally used:
– One for creating or transforming the data into
a unintelligible form.
– One for verifying a digital signature or
returning the message to its original form.
• This is usually referred to as “Asymmetric cryptosystem.”
• The keys are usually referred to as the “private key”
which is only known to the signer, and the “Public Key”
which is usually more widely known and and used to
verify the digital signature.
30
Digital Signatures
• The process of creating a digital signature and verifying
it accomplish the essential effects desired of a signature:
• Signer Authentication
– If a private key and a public key is associated with an identified
signer, a digital signature by a private key effectively identifies
the signer with the message
• Message authentication
– The process of digitally signing also identifies the matter to be
signed with greater certainty and precision than paper signatures
31
Digital Signatures
• Affirmative act
– Creating a digital signature requires the signer to provide a
private key and invoke a software function to create a digital
signature.
• Efficiency
– The process of creating and verifying a digital signature provides
a high level of assurance that the digital signature is genuinely
the signer’s and is almost entirely automated or capable of
automation
32
Digital Signatures and
Certification Authorities
• To ensure that parties using digital signatures are identified
with a particular key pair, A trusted third party termed a
“certification authority” is used to associate an identified
person on one end of a transaction with the key pair
creating the digital signature at the other end.
Verisign.
Society for Worldwide Interbank Funds Transfers (SWIFT).
E-Club of the International Chamber of Commerce (ICC).
Identrus LLC.
WISeKey S.A.
33
Digital Signatures costs and
benefits
• Costs.
– Institutional overhead.
• Cost of establishing and utilising
certification authorities etc.
– Product cost.
• Software may be expensive.
• Certification authority charges for issuing
certificates.
• Verification software.
• Access to certificate repository.
34
Digital Signatures Costs and
Benefits
• Benefits.
– Imposters.
• Minimize risk of dealing with impostors.
– Message corruption.
• Minimize the risk of message tampering.
– Formal legal requirements.
• Legal requirements of writing, signature and an
original document are satisfied.
– Open systems.
• Retention of a high degree of information security
when information is sent over open, insecure
internet channels.
35
Electronic Payment
Instruments and Systems
• To be attractive to consumers and businesses:
– Should save money
– Reduce costs in current systems
– Enable consumers to spend their money
more cheaply
36
Electronic Payment
Instruments and Systems
• Cost of Transactions
– Financial Institution Teller generated
$1.07
– ATM
$0.27
– Swiping a Credit card
$0.08 $.015
– Dipping a smart card
$0.01
• Can squeeze as much as $1.06 out of each of the
trillions 0f financial services transactions that occur
each year
• Good reason why electronic instruments and
systems will change!!
37
Electronic Payments
• Credit cards
• SET (Secure Electronic Transactions)
• Payment Services, Merchant Gateways
• Micropayments (DigiCash, e-Cash,
NetPay)
• Mondex (SmartCards)
38
Electronic Payments:
How credit cards work
Merchant
Acquirer
Visa Net
Issuer
Duncan Unwin, QSI Payments Inc., 2000
39
Electronic Payments:
SET: Visa, Mastercard
A specification which
• use public-key and private-key
cryptography
• authenticate cardholders and merchants
using digital certification
• provide confidentiality of payment data
– merchant does not see the credit card number
40
Electronic Payments:
Payment Services, Merchant Gateways
• 3rd Party Service
– Camtech, Surelink, QSI
• Bank Service
– CBA, ANZ, NAB, Westpac, St George
Duncan Unwin, QSI Payments Inc., 2000
41
Electronic Payments:
Micropayments:
• Small electronic cash payment systems
– DigiCash, e-Cash, NetPay
• See W3C for the first public working draft
of the "Common Markup for Web
Micropayment Systems”, at URL
http://www.w3.org/TR/WD-MicropaymentMarkup
42
MilliCent
43
eCash Website
44
Checkfree Website
45
Electronic Cash systems
• Provide a direct electronic equivalent of
cash
– Clickshare
– Mondex
– Bpay
46
Mondex Website
47
Electronic Payments:
Mondex (Smart Cards) 1
• Members – licensed to issue Mondex cards to
cardholders and merchants.
• Merchants – Retailers, service companies and other
business that enter into an agreement with
Members to enable them to accept Mondex
electronic cash as payment for goods and
services.
48
Electronic Payments:
Mondex (Smart Cards) 1
• Cardholders – provided with a Mondex Card by a Member
which enables them to pay for goods and
services from Merchants and transfer money
to/from other Cardholders.
49
Electronic Payments:
Mondex (Smart Cards)
• Home Banking – download value from your bank account to your
card.
• Buying on the Internet – buy low value goods and services on the Internet
that aren't normally chargeable.
• Privacy – no record held of the transaction,
– privacy normally only afforded with physical cash.
– real-time verification of funds.
50
Clickshare
51
Bpay
52
Bibliography
• Schneider and Perry, Electronic
Commerce Chapter 7
• http://www.course.com/downloads/sites/ec
ommerce/ch07.html
• www.mondex.com
53
Summary
• Mahasiswa diwajibkan membuat summary
54