Transcript No Slide Title - Faculty Personal Web Page

Final Review
1
E-Commerce Security
Part I – Threats
2
Objectives
• Threats to
– intellectual property rights
– client computers
– communication channels between
computers
– server computers
3
Security Overview
• Computer security is the protection of assets
from unauthorized access, use, alteration, or
destruction.
• Two types of security:
• Physical security - includes tangible protection
devices, such as alarms and guards.
• Logical security - protection of assets using
nonphysical means.
4
Security Overview
• Any act or object that poses a danger to
computer assets is known as a threat.
• Countermeasure is a procedure that
recognizes, reduces, or eliminates a threat.
5
Security Overview
• An eavesdropper is a person or device that can
listen in on and copy Internet transmissions.
• People who write programs or manipulate
technologies to obtain unauthorized access to
computers and networks are called crackers or
hackers.
6
Privacy vs. Security
• Privacy – is the protection of individual rights to
nondisclosure
• Security – provides protection from inadvertent
information disclosure
7
Privacy
• Privacy Act of 1974 – information you provide to
a government agency will not be disclosed to
anyone outside of that agency.
• Cookie – is a small data file that some Web sites
write to your hard drive when you view the Web
site. This file can be retrieved to any server in
the domain that creates this file.
8
Computer Security
Classification
• Secrecy refers to protecting against unauthorized
data disclosure and ensuring the authenticity of
the data’s source.
• Integrity refers to preventing unauthorized data
modification.
• Necessity refers to preventing data delays or
denials.
9
Security Policy
• Specific elements of a security policy address the
following points:
• Authentication: Who is trying to access the
electronic commerce site?
• Access control: Who is allowed to log on to and
access the electronic commerce site?
• Secrecy: Who is permitted to view selected
information?
• Data integrity: Who is allowed to change data,
and who is not?
• Audit: Who or what causes selected events to
occur and when?
10
Intellectual Property Threats
• Copyright is the protection of expression.
• Intellectual property is the ownership of ideas
and control over the tangible or virtual
representation of those ideas.
• U.S. Copyright Act of 1976 - Copyright Clearance
Center provides copyright information.
11
Domain Names
• Issues of intellectual property rights for
Internet Domain Names:
• Cybersquatting
• Name changing
• Name stealing
12
Cybersquatting
• Cybersquatting is the practice of registering a
domain name that is the trademark of another
person or company in the hopes that the owner
will pay huge amounts of money to acquire the
URL.
• On November 29, 1999, the U.S.
Anticybersquatting Consumer Protection Act was
signed into law.
13
Name Changing
• Name changing occurs when someone
registers purposely misspelled variations of
well-known domain names.
• The practice of name changing is annoying to
affected online businesses and confusing to
their customers.
14
Name Stealing
• Name stealing occurs when someone changes
the ownership of the domain name assigned
to another site and owner.
• After domain name ownership is changed the
name stealer can manipulate the site.
15
Active Content
• A Trojan horse is a program hidden inside
another program or Web page that masks its true
purpose.
• A Zombie is a program that secretly takes over
another computer for the purpose of launching
attacks on other computers.
• Malicious ‘cookies’ can destroy files stored on
client computers.
16
Applets/JavaScript/VBScript
• Java applet adds functionality to business
applications and can handle transactions and a
wide variety of actions on the client computer.
• JavaScript/VBScript is a scripting language that enables
Web page designers to build active content.
• JavaScript/VBScript can invoke privacy and integrity
attacks by executing code that destroys your hard disk.
17
ActiveX Controls
• ActiveX is an object that contains programs and
properties that Web designers place on Web
pages to perform particular tasks.
• Because ActiveX controls have full access to your
computer, they can cause secrecy, integrity, or
necessity violations.
18
Virus
• A virus is software that attaches itself to another
program and can cause damage when the host
program is activated.
• Worm viruses replicate themselves on other
machines.
• A macro virus is coded as a small program and is
embedded in a file.
• The term steganography describes information
that is hidden within another piece of information.
19
Communication Channel
Threats
• The Internet is not at all secure.
• Messages on the Internet travel a random path
from a source node to a destination node.
• Internet channel security threats include:
• secrecy
• integrity
• necessity
20
Secrecy Threats
• Secrecy is the prevention of unauthorized
information disclosure – it is a technical
issue requiring sophisticated physical and
logical mechanisms.
• Privacy is the protection of individual rights
to nondisclosure - Privacy protection is a
legal matter.
21
Secrecy Threats
• Web users are continually revealing information
about themselves when they use the Web.
• Sniffer programs provide the means to tap into
the Internet and record information that passes
through a particular computer (router) from its
source to its origin. The programs can read email
messages as well as E-commerce information.
22
Integrity Threats
• An integrity threat exists when an unauthorized
party can alter a message stream of information.
• Cyber vandalism is an example of an integrity
violation.
• Masquerading or spoofing is one means of
creating havoc on Web sites.
23
Necessity Threats
• The purpose of a necessity threat is to disrupt
normal computer processing or to deny
processing entirely.
• Necessity threats are also known as delay,
denial, or denial-of-service (DOS) threats.
24
Web Server Threats
• Servers have vulnerabilities that can be exploited
to cause destruction or to acquire information
illegally.
• Server threats include:
• Web server threats
• database threats
• common gateway interface threats
• other programming threats
25
Common Gateway Interface
Threats
• Because CGIs are programs, they present a
security threat if misused.
• CGI scripts can be set up to run with high
privileges, which can cause a threat.
• CGI programs or scripts can reside just about
anywhere on the Web server, which makes them
hard to track down and manage.
26
Other Programming Threats
• Another serious Web server attack can come
from programs executed by the server.
• A mail bomb occurs when thousands of
people send a message to a particular
address.
27
E-Commerce Security
Part II – Security Techniques
28
Objectives
• Specific security objectives for protecting
– Web business assets and customer privacy
– client computers from security threats
– information as it travels through the Internet
communication channel
– the security of Web server computers
• Organizations that promote computer,
network, and Internet security
29
Protecting Privacy
• Cookies contain private information that can
include credit card data, passwords, and login
information.
• The best way to protect your privacy is to disable
cookies entirely.
30
Protecting Client Computers
• Client computers must be protected from
threats.
• Active content can be one of the most serious
threats to client computers.
31
Digital Certificates
• A digital certificate verifies that a user or Web site
is who it claims to be.
• The digital certificate contains a means for
sending an encrypted message to the entity that
sent the original Web page or message.
• A Web site’s digital certificate is a shopper’s
assurance that the Web site is the real store.
32
Using Antivirus Software
• Antivirus software is a defense strategy.
• One of the most likely places to find a
virus is in an electronic mail attachment.
• Some Web e-mail systems let users scan
attachments using antivirus software
before downloading e-mail.
33
Communication Channel Security
• Integrity violations can occur whenever a
message is altered while in transit between the
sender and receiver.
• Ensuring transaction integrity, two separate
algorithms are applied to a message:
• Hash function
• Digital signature
34
Hash Functions
• Hash algorithms are one-way functions.
• A hash algorithm has these characteristics:
• It uses no secret key.
• The message digest cannot be inverted to
produce the original information.
• The algorithm and information about how it
works are publicly available.
35
Digital Signature
• An encrypted message digest is called a digital
signature.
• A purchase order accompanied by the digital
signature provides the merchant positive
identification of the sender and assures the
merchant that the message was not altered.
• Used together, public-key encryption, message
digests, and digital signatures provide quality
security for Internet transactions.
36
Digital Signatures
37
Encryption
• Encryption is the coding of information by a
mathematically based program and a secret key to
produce a string of characters that is unintelligible.
• The program that transforms text into cipher text
is called an encryption program.
• Upon arrival, each message is decrypted using a
decryption program.
38
Three Types of Encryption
• “Hash coding” is a process that uses a hash
algorithm to calculate a hash value from a
message.
• “Asymmetric encryption,” or public-key
encryption, encodes messages by using two
mathematically related numeric keys: a public
key and a private key.
• “Symmetric encryption,” or private-key
encryption, encodes a message using a single
numeric key to encode and decode data.
39
Encryption Methods
40
Encryption: Single Key
Message
Message
Makiko
Encrypted
Public Keys
Private Key
13
Use
Takao’s
Public key
Makiko 29
Takao 17
Takao
Use
Private Key
Takao’s
37
Private key
Makiko sends message to Takao that only he can read.
41
Dual Key: Authentication
Message
Transmission
Message
Encrypt+T+M
Makiko
Private Key
13
Use
Makiko’s
Private key
Encrypt+M
Encrypt+T
Public Keys
Makiko 29
Use Takao 17
Use
Takao’s
Makiko’s
Public key
Public key
Takao
Private Key
Use
37
Takao’s
Private key
Takao sends message to Makiko:
His key guarantees it came from him.
Her key prevents anyone else from reading message.
42
Protecting the Web Server
• Security solutions for commerce servers:
• Access control and authentication
• Operating system controls
• Firewall
43
Access Control & Authentication
• Access control and authentication refers to
controlling who and what has access to the
commerce server.
• Authentication is performed using digital
certificates.
• Web servers often provide access control list
security to restrict file access to selected users.
44
Access Control & Authentication
• The server can authenticate a user in several
ways:
• First, the certificate represents the user’s
admittance voucher.
• Second, the sever checks the timestamp on the
certificate to ensure that the certificate has not
expired.
• Third, a server can use a callback system to check
the user’s client computer address and name.
• An access control list (ACL) is a list or database
of people who can access the files and resources.
45
Dial Back Modem
phone
company
phone
company
4
7
2
5
Jones 1111
Smith 2222
Olsen 3333
Araha 4444
1)
2)
3)
4)
5)
6)
7)
User calls computer.
Modem answers.
User enters name and password.
Modem hangs up.
Modem dials phone number in database.
User machine answers.
User gets access.
3
6
1
If hacker somehow gets name
and password. Company
modem will hang up and call
back number in database,
preventing hacker from
accessing the computer.
46
User Identification
• Passwords
– Dial up service found 30% of people used
same word
– People choose obvious words
• Hints
– Don’t use real words, personal names
– Include non-alphabetic
– Change often
– Use at least 6 characters
47
Biometrics
• Alternatives: Biometrics
–
–
–
–
Finger/hand print
Voice recognition
Retina/blood vessels
Thermal
• Comments
–
–
–
–
Don’t have to remember
Reasonably accurate
Price is dropping
Nothing is perfect
48
Biometrics: Thermal
Several methods exist to identify a person based on biological
characteristics. Common techniques include fingerprint, handprint readers,
and retinal scanners. More exotic devices include body shape sensors and
this thermal facial reader which uses infrared imaging to identify the user.
49
Firewalls
• A firewall is a computer and software
combination that is installed at the entry point
of a networked system.
• The firewall provides the first line of defense
between a network and the Internet or other
network that could pose a threat.
• Acting as a filter, firewalls permit selected
messages to flow into and out of the protected
network.
50
Types of Firewalls
• Packet-filter firewalls examine all the data
flowing back and forth between the trusted
network.
• Gateway servers are firewalls that filter traffic
based on the application they request.
• Proxy severs are firewalls that communicate
with the Internet on the private network’s
behalf.
51
E-Commerce
Payment System
52
Learning Objectives
• The basic functions of payments systems that
are used in electronic commerce
• The history and future of electronic cash
• How electronic wallets work
• The use of stored-value cards in electronic
commerce
53
Payment Cards
• Payment cards are all types of plastic cards
that consumers use to make purchases:
– Credit cards
• such as a Visa or a MasterCard, has a preset
spending limit based on the user’s credit limit.
– Debit cards
• removes the amount of the charge from the
cardholder’s account and transfers it to the seller’s
bank.
– Charge cards
• such as one from American Express, carries no preset
spending limit.
54
Advantages & Disadvantages
of Payment Cards
• Advantages:
• Payment cards provide fraud protection.
• Worldwide acceptance.
• Good for online transactions.
• Disadvantages:
• Payment card service companies charge
merchants per-transaction fees and
monthly processing fees.
55
Payment Acceptance
and Processing
• Open and closed loop systems will accept and
process payment cards.
• A merchant bank or acquiring bank is a bank
that does business with merchants who want
to accept payment cards.
• Software packaged with an electronic
commerce software can handle payment card
processing automatically.
56
Electronic Cash
• Electronic cash is a general term that describes
the attempts of several companies to create a
value storage and exchange system.
• Concerns about electronic payment methods
include:
• Privacy
• Security
• Independence
• Portability
• Convenience
57
Electronic Cash
• Electronic cash should have two important
characteristics in common with real currency:
• It must be possible to spend electronic
cash only once.
• Electronic cash ought to be anonymous.
• The most important characteristic of cash is
convenience. If electronic cash requires
special hardware or software, it will not be
convenient for people to use.
58
Providing Security for
Electronic Cash
• To prevent double spending, the main security
feature is the threat of prosecution.
• A complicated two-part lock provides
anonymous security that also signals when
someone is attempting to double spend cash.
• One way to trace electronic cash is to attach a
serial number to each electronic cash
transaction.
59
Advantages of Electronic Cash
• Electronic cash transactions are more
efficient and less costly than other methods.
• The distance that an electronic transaction
must travel does not affect cost.
• The fixed cost of hardware to handle
electronic cash is nearly zero.
• Electronic cash does not require that one
party have any special authorization.
60
Disadvantages of Electronic Cash
• Electronic cash provides no audit trail.
• Because true electronic cash is not traceable,
money laundering is a problem.
• Electronic cash is susceptible to forgery.
61
PayPal
• PayPal.com is a free service that earns a profit
on the float, which is money that is deposited in
PayPal accounts.
• The free payment clearing service that PayPal
provides to individuals is called a peer-to-peer
payment system.
• PayPal allows customers to send money instantly
and securely to anyone with an e-mail address,
including an online merchant.
62
Smart Card
• A smart card is a plastic card with an embedded
microchip containing information about you.
• A smart card can store about 100 times the
amount of information that a magnetic strip
plastic card can store.
• A smart card contains private user information,
such as financial facts, private encryption keys,
account information, credit card numbers, health
insurance information, etc.
63
Mondex Smart Card
• Mondex is a smart card that holds and dispenses
electronic cash.
• Mondex requires special equipment, such as a ‘card
reader’, to process.
• Containing a microcomputer chip, Mondex cards
can accept electronic cash directly from a user’s
bank account.
64
International, Legal,
and Ethics Issues
65
Objectives
• International E-commerce
• Laws that govern E-commerce activities
• Ethics issues that arise for companies
conducting E-commerce
• Conflicts between a company’s desire to
collect and use data about their customers
and the privacy rights of those customers
• Taxes that are levied on E-commerce
66
International Nature of E-Commerce
• Businesses engaging in electronic commerce
must be aware of the differences in language
and customs that make up the culture of any
region in which they do business.
• The barriers to international electronic
commerce include language, culture, and
infrastructure issues.
67
Infrastructure Issues
• Internet infrastructure includes the computers
and software connected to the Internet and
the communications networks over which
message packets travel.
• Regulations in some countries have inhibited
the development of the telecommunications
infrastructure or limited the expansion of that
infrastructure.
68
Subject-Matter Jurisdiction
• Subject-matter jurisdiction is a court’s authority
to decide a particular type of dispute.
– In the U.S., federal courts have subject-matter
jurisdiction over issues governed by federal law.
– State courts have subject-matter jurisdiction over
issues governed by state laws.
69
Personal Jurisdiction
• Personal jurisdiction is determined by the
residence of the parties.
• Businesses should be aware of jurisdictional
considerations when conducting electronic
commerce over state and international lines.
70
Contracting and Contract
Enforcement in E-Commerce
• Any contract includes three essential elements:
an offer, an acceptance, and consideration.
• The contract is formed when one party accepts
the offer of another party.
• Contracts are a key element of traditional
business practice and they are equally important
on the Internet; they can occur when parties
exchange e-mail messages, engage in EDI, or fill
out forms on Web pages.
71
Warranties on the Web
• Any contract for the sale of goods includes
implied warranties.
• Most firms conducting electronic commerce
have little trouble fulfilling warranties.
• Sellers can avoid some implied warranty
liability by making a warranty disclaimer.
• To be legally effective, the warranty
disclaimer must be stated obviously and must
be easy for a buyer to find on the Web site.
72
Authority to Form Contracts
• A contract is formed when an offer is
accepted for consideration.
• Problems can arise in electronic commerce
since the online nature of acceptance can
make it relatively easy for identity forgers
to pose as others.
• Digital signatures, however, are an
excellent way to establish identity in online
transactions.
73
Web Site Content
• A number of other legal issues can arise
regarding the Web page content of
electronic commerce sites, including:
•
•
•
•
trademark infringement
deceptive trade practices
regulation of advertising claims
defamation
74
Copyright Infringement
• A copyright is a right granted by a
government to the author or creator of a
literary or artistic work.
• Creations that can be copyrighted include
virtually all forms of artistic or intellectual
expression: books, music, artworks,
recordings (audio and video), architectural
drawings, choreographic works, product
packaging, and computer software.
75
Patent Infringement
• A patent is an exclusive right to make, use,
and sell an invention that a government
grants to the inventor.
• To be patentable, an invention must be
genuine, novel, useful, and not obvious given
the current state of technology.
76
Trademark Infringement
• The owners of registered trademarks have
often invested and developed their
trademarks.
• Web site designers must be very careful not
to use any trademarked name, logo, or other
identifying mark without permission.
77
Defamation
• A defamatory statement is a statement that is
false and that injures the reputation of
another person or company.
• If the statement injures the reputation of a
product, it is called product disparagement.
78
Deceptive Trade Practices
• If the Web page objects being manipulated
are trademarked, these manipulations can
violate the trademark holder’s right.
• Trademark protection prevents another firm
from using the same or a similar name, logo,
or other identifying characteristic in a way
that would cause confusion.
79
Web-based Crime, Terrorism,
and Warfare
• Crimes on the Internet includes online versions
of crimes, including theft, stalking, distribution
of pornography, and gambling.
• A considerable number of Web sites exist today
that openly support or are operated by hate
groups and terrorist organizations.
80
Ethical Issues
• Companies using Web sites to conduct
E- commerce should adhere to the same
ethical standards that other businesses
follow.
• In general, advertising on the Web should
include only true statements - Ethical
considerations are important in determining
advertising policy on the Web.
81