Transcript Chapter 15
Electronic Marketing Chapter 15 Security on the E-commerce Site Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo A Survey of Cryptography • Cryptography results in the creation of cryptographic methods, known as cryptosystems: – Symmetric cryptosystems use the same key (secret key), to encrypt (scramble) and decrypt (unscramble) a message – Asymmetric or Public Key cryptosystems, use two keys - one key (public key) to encrypt a message and a different key (private key) to decrypt it • Symmetric cryptosystems are the easier of the two to implement, since only one key is required Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Digital Certificate • Authentication is the digital process of verifying that people or entities are whom or what they claim to be • Digital certificates are in effect virtual fingerprints, or retinal scans that authenticate the identity of a person or thing in a concrete, verifiable way Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Digital Certificate • A typical digital certificate is a data file of information, digitally signed and sealed using RSA encryption techniques, that can be verified by anyone and includes: – The name of the holder and other identification information, such as e-mail address – A public key, which can be used to verify the digital signature of a message sender previously signed with the matching mathematically unique private key – The name of the issuer, or Certificate Authority – The certificate’s validity period Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Digital Certificate • To create a digital certificate for an individual, the identity of the person, device, or entity that requests a certificate must be confirmed. This is typically accomplished through a combination of the following: – Personal presence – Identification documents Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Digital Certificate • Digital certificates may be distributed online. Typical means of distributing certificates include: – Certificate accompanying signature – Directory service • The decision to revoke a certificate is the responsibility of the issuing company Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Sockets Layer (SSL) • SSL was introduced in 1995 by Netscape as a component of its popular Navigator browser and as a means of providing privacy with respect to information being transmitted between a user’s browser and the target server, typically that of a merchant • SSL establishes a secure session between a browser and a server Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Sockets Layer (SSL) • A channel is the two-way communication stream established between the browser and the server, and the definition of channel security indicates three basic requirements: – The channel is reliable – The channel is private – The channel is authenticated • By virtue of SSL’s requirement of Transmission Control Protocol (TCP) as the transport mechanism, channel reliability is inherent Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Sockets Layer (SSL) • This encryption is preceded by a “data handshake” and has two major phases: – The first phase is used to establish private communications, and uses the key-agreement algorithm – The second phase is used for client authentication • Limits of SSL – While the possibility is very slight, successful cryptographic attacks made against these technologies can render SSL insecure Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • In 1996, MasterCard and Visa announced the development of a single technical standard for safeguarding payment card purchases made over open networks called Secure Electronic Transaction (SET). • Since 1996, both Visa and MasterCard have continued their search for better security to reassure online consumers and merchants. To this end, both now have special programs that allow a cardholder to set a password to protect their card from unauthorized use. This process protects both the consumer and the merchant. Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • SET sought to bolster confidence by mitigating the security risks in SSL • SET ensured that merchants were authorized to accept credit card payments, thus reducing risks associated with merchant fraud • SET ensured that the purchaser was an authorized user of the payment card Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • While the goal of SSL is to reduce the likelihood of communication interception, the goal of SET is to reduce the likelihood of fraud • SET provides the special security needs of electronic commerce with the following: – Privacy of payment data and confidentiality of order information transmission – Authentication of a cardholder for a branded bank card account – Authentication of the merchant to accept credit card payments Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • The purchasing process – A merchant applies for, and receives, an account with an issuing bank, just as they would apply for a normal credit card merchant account – A consumer makes an application to an issuing bank for a digital credit card, which is a digital certificate that has been personalized for the credit card-holder – After the consumer receives her digital credit card, she adds it to her browser wallet – The consumer browses the Web at a particular site and at checkout time, the Web site asks for the shopper’s credit card Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • The process continued… – Instead of typing in the credit card number, the browser wallet is queried by the Web site SET software and, following selection of the appropriate credit card and entry of its password by the consumer, the bank-issued digital credit card is submitted to the merchant – The merchant receives the digital credit card in a digital envelope – The merchant software then sends the SET transaction to a credit card processor (also known as a “payment gateway application” or “acquirer”) for verification Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • The process continued… – The financial institution performs functions on the transaction including authorization, credit and capture (voiding and refund) reversals – Following successful processing, the merchant, cardholder, and credit card processors are all advised electronically that the purchase has been approved – Following this notification, the cardholder is debited and the merchant is paid through subsequent capture transactions – The merchant can then ship the merchandise, knowing that the customer transaction is approved Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) • Limitations of SET and SSL – A downside of both SSL and SET protocols is that they both require the use of cryptographic algorithms that place significant loads on the computer systems involved in the commerce transaction – For the low and medium e-commerce applications, there is no additional server cost to support SET over SSL – For the large e-commerce server applications, support of SET requires additional hardware acceleration in the range of a 5 to 6% increase in server costs – For small payment gateway applications using SET, hardware acceleration is also required Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo Secure Electronic Transaction (SET) Thus, the conclusion is that SET has a definitive security component that very clearly represents an advance in technology over SSL, and that any deficits that may be related to performance will quickly be rendered minor as hardwarebased processing technology rapidly advances Electronic Marketing: Integrating Electronic Resources into the Marketing Process, 2e 4/6/2016 2004 Joel Reedy and Shauna Schullo