Chapter 4

E-commerce Security and Payment Systems

I. e-Commerce Security (1): Threats

Slide 4-2
Vulnerable Points in an E-commerce Transaction

Slide 4-3
The ability to ensure that information on
Internet has not been altered in any way
by an unauthorized party

The ability to ensure that e-commerce

participants do not deny (or repudiate) (Accounting)
their online actions
The ability to identify the identify of a
person or entity with whom you are
dealing on the Internet

The ability to ensure that messages and

data are available only to those who are (Authorization)
authorized to view them

The ability to control the use of

information about oneself

The ability to ensure that an e- (Reliability)

commerce site continues to function as
intended

Slide 4-4
What’s New in e-Commerce Security 2018-2019

Slide 4-5
Cybercrimes
n Hacking
v Intends to gain unauthorized access to a computer
v Types of hackers: White, black, grey hats
n Black hackers are also called as crackers
v Hacktivism: Cybervandalism and data theft for political purposes (e.g.,
Anonymous)
n Cybervandalism:
v Disrupting, defacing, destroying Web site
n Data breach
v Organization loses control over corporate information to outsiders
v Over 1,575 breaches in 2017, 45% increase over 2016
v Yahoo and Equifax two of the most notorious; Facebook breach in 2018
exposed personal information of 30 million
v Leading causes
n Hacking
n Unauthorized access
n Employee error/negligence

Slide 4-6
Common Security Threat Techniques: On Your Computer
n Malicious code (Malware) – Exploits (or damages) the client and server
v Exploit kits: The SW kit on server that identifies the SW vulnerability of client computers.
v Drive-by downloads: Malware that comes with a downloaded file
v Viruses: Replicate copies of itself & spread to other files
v Worms: Spread from computer to computer
v Ransomware (Scareware): Prevents you from accessing your computer or files and
demands you pay a fine
v Trojan horses: Most common malware (70%)
v Backdoors: Allows attacker to remotely access a computer
v Bots: SW covertly installed on a computer when connected to Internet, and responds to
external commands sent by the attacker
n Botnets: Collection of bot computers (infected computers, zombie computers)
n Botnet is the most common malware distribution channel (i.e., DDoS; 70-80% of spams & malware)
v Examples of malicious code: table 4.4 (p.249)
n Potentially unwanted programs (PUPs): Installs itself on a computer without the
user’s consent
v Browser parasites: Monitor & change the settings of a user’s home page
v Adware: A PUP that serves pop-up ads to your computer
v Coin/Cryptocurrency miners: Used to facilitate cryptojacking
v Spyware: Obtain information such as a user’s keystrokes, copies of email and instant
messages, and even take screenshots

Slide 4-7
Common Security Threat Techniques: On the Network
n Phishing: Deceptive online attempt to obtain confidential information for financial gain
v Social engineering: Exploit the social intimacy for financial gain
v E-mail scams 신용 사기
v Spear phishing: Targeting a known customer of a specific bank or business
v Identity fraud/theft
n Spoofing: Attempts to hide a true identity by using someone else’s email or IP address
n Pharming: Redirecting a web link to an address different from the intended one
n Spam (junk) Web sites: Promise to offer products or services, but in fact are just collections of
advertisements
n Denial of service (DoS) attack
v Site flooded with useless traffic to overwhelm network
v Distributed denial of service (DDoS) attack (by using botnets)
n Sniffing
v Eavesdropping program that monitors information traveling over a network
v Email wiretaps도청
v According to the Wiretap Act, it is illegal to intentionally or purposely to intercept,
disclose, or use the contents of any wire, oral, or electronic communication through the
use of a device

Slide 4-8
Reasons for Cyber Security Threats
n Insider attacks
n Poorly designed software (i.e., Software Vulnerability취약점)
v SQL injection attack*:
n SQL injection usually occurs when the system asks a user for input (like their username/userid),
the user enters a malicious input that the system will unknowingly run on the database.
v Zero-day vulnerability: Undisclosed SW vulnerability with no existent patch
v Heartbleed bug: Flaw in OpenSSL encryption system that allowed hackers to decrypt an
SSL session and discover user names, PW, and other user data
n Social network security issues (i.e., Social engineering attack)
n Mobile platform security issues
v Vishing: Call gullible cellphone users and ask to call certain numbers and donate money
v Smishing: Exploit the SMS/text messages to lead the innocent users to a malware site
v Madware: Innocent-looking apps that contain adware
n Cloud security issues
v Many organizations do not thoroughly examine cloud security before deploying cloud
services

Slide 4-9
Reference

Example of SQL Injection

The original purpose of the code was to create an SQL statement to select a user, with a given user id.
If there is nothing to prevent a user from entering "wrong" input on the web, the user can enter some
"smart" input like this:

Then, the SQL statement will look like this:

The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
The SQL statement above is much the same as this:

A hacker might get access to all the user names and passwords in a database, by simply inserting 105
OR 1=1 into the input field.

Slide 4-10
Reference

The Cyber Black Market against Security

(Subleasing infected computers)

Slide 4-11
II. e-Commerce Security (1): Solutions

Slide 4-12
How to Prevent from Cybercrimes
n Worldwide, companies spend more than $115 billion on security
hardware, software, services (2018)
v 2017 survey: Average global annualized cost of cybercrime was $11.7 million/year
(US$21 MLN/year in U.S.)
v Underground economy marketplace: Stolen information stored on underground
economy servers
n To achieve highest degree of security
1. New technologies
2. Organizational policies and procedures
3. Industry standards and government laws
n Tension with Other Values
v Ease of Use:
n The more security measures added,
the more difficult a site is to use, and
the slower it becomes
v Privacy (against Public safety):
n You want to be anonymous on Internet.

Slide 4-13
1. Technology Solutions
n Protecting communication contents by encryption
v PKI (Public Key Infrastructure)
v Limitations
§ Doesn’t protect storage of private key
v PKI not effective against insiders, employees
v Protection of private keys by individuals may be haphazard
§ No guarantee that verifying computer of merchant is secure
§ CAs (Certificate Authority) 인증기관 are unregulated, self-selecting organizations
n Securing channels (i.e., session) of communication
v SSL/TLS(※https=http+SSL/TLS), VPNs, WPA2 (Wi-Fi Protected Access 2)
n Protecting networks
v Firewalls, proxy servers, IDS (Intrusion Detection Systems), IPS
(Intrusion Prevention Systems)
v Network separation*
n Protecting servers and clients
v OS security, anti-virus

Slide 4-14
Public Key Cryptography: A Simple Case

Slide 4-15
Public Key Cryptography with Digital Signatures

Slide 4-16
Public Key Cryptography: Creating a Digital Envelope

Slide 4-17
Digital Certificates and Certification Authorities

Slide 4-18
Secure Negotiated Sessions Using SSL/TLS

Slide 4-19
Firewalls and Proxy Servers

Slide 4-20
Network Separation
NIS (National Intelligence
Service) Guideline:
• Physical separation: Central
government
• Logical separation: Regional
governments, Public institution

Advantages Disadvantages
Physical separation Easy to implement the networks • Too many servers (hard to manage)
• Data transfer between Internet PC and Task PC
• User can sneak out confidential data
• Auxiliary storage device can be used for data steal
Logical separation: CBC Inexpensive and easy management • Diverse PC environments aggravate the compatibility and
(Client-Based Computing) control
• Hard to control and monitor users
Logical separation: SBC Easy to control users; Can accept the • When virtual server is attacked on Internet, tasks can also
(Server-Based Computing) diverse PC environments be affected

Slide 4-21
2. Developing an E-commerce Security Plan:
Management Policies

Slide 4-22
3. The Role of Laws and Public Policy
n Laws that give authorities tools for identifying, tracing,
prosecuting cybercriminals:
v USA Patriot Act
v Homeland Security Act
n Private and private-public cooperation
v US-CERT (Computer Emergency Readiness Team)
n Division of the U.S. Department of Homeland Security that coordinates cyber incident
warnings and responses across government and private sectors
v CERT Coordination Center
n Monitors & tracks online criminal activity reported to it by private corporations and
government agencies that seek out its help
n Government policies and controls on encryption software
v OECD (The Organization of Economic Cooperation and Development)
v G7/G8 (the heads of state of the top eight industrialized countries in the world)
v Council of Europe
v Wassener Arrangement (law enforcement personnel from the top 33
industrialized countries in the world)

Slide 4-23
Reference

U.S. e-Commerce
Security Legislation
& Regulation

PLUS..
Cybersharing Information Sharing Act (2015):
Encourages business and the federal government
to share cyber threat information in the interest
of national security.

Slide 4-24
III. e-Commerce Payment

Slide 4-25
Major Trends in e-Commerce Payments 2018-19

Slide 4-26
E-commerce Payment Systems
n Bill/Invoice Payment: Electronic Billing Presentment and Payment (EBPP)
v Online payment systems for monthly bills, Over 55% of all bill payments
v Four competing EBPP business models:
n Online banking (dominant model): Chase, Citi, Wella Fargo, etc.
n Biller-direct: Email notification & Pay at the merchant’s website (coupon, reward available):
Telephone, Utilities, Insurance
n Mobile (fastest growing): Apple, Google, PayPal, Facebook
n Consolidator: A third party aggregates all bills for consumers and permits one-stop bill
payment – Intuit (Paytrust), Fiserv (MyCheckFree), Mint Bills, PaySimple
v Infrastructure for four EBPP business models:
n Fiserv, Yodlee, FIS Global, ACI Worldwide, MasterCard RPPS (Remote Payment and
Presentment Service), EU’s PSD 2 (the Revised Payment Service Directive)
n In U.S., credit and debit cards are primary online payment methods
v Payment Cycle
v Payment Gateway
v PCI-DSS (Payment Card Industry - Data Security Standard) compliance
n Limitations of online credit card payment
v Security, merchant risk
v Cost
v Social equity: Young adults, Old adults & poor people who cannot afford the payment
of the bills

Slide 4-27
How an Online Credit Card Transaction Works

Slide 4-28
Alternative Payment Methods used by Consumers in the U.S.

Mobile Wallet
Different types of mobile wallets
• Universal proximity mobile wallets, such
as Apple Pay, Google Pay, Samsung Pay,
PayPal Mobile
• Branded store proximity wallets, offered
by Walmart, Target, Starbucks, others
• P2P mobile payment apps, such as Zelle,
Venmo

Desktop + Mobile

Slide 4-29
Blockchain
n Bitcoin (2009) vs. Blockchain:
v Bitcoin is the reward to the first node (i.e., miner) who proves the validity of
transactions (i.e., who posts/proposes the new block to the network)
v Limitation: Lack of scalability of blockchain-based applications
n Bitcoin Lightning Network
n Smart Contract (Blockchain 2.0 enabled by Ethereum, 2015):
v “Code is law” (Lessig, 1999) à Autonomy, Self-sufficiency, Decentralization
n A contract is automatically executed on blockchain if the programmed conditions are met
v Bitcoin is for payment, and Ethereum is a platform for different blockchain
projects
n Proof of Work (POW) vs. Proof of Stake (POS)
n The impacts of Blockchain on the incumbent industries
v Initial Coin Offering (ICO)

Slide 4-30
Blockchain Technology

* Source: Nanda, R., R.F. White & A.

Tuzikov. 2017. Blockchain,
Cryptocurrencies and Digital Assets.
Harvard Business School, p. 4.

n Blockchain:
v Time-stamping and directly linking each contiguous block on the chain of transactions through
hashes
v In case of small change in the ledger, the hash proposed to other nodes will not match with
hashes in the ledgers of other agents, and will be discarded by the consensus of the network
n Cryptographic hashing
v One-way function with the goal of making it impossible to decrypt.
v The hash function used by Bitcoin is known as SHA-256 and produces 256-bit (32-bytes) hash,
i.e., a string of 64 hexadecimal characters (a-f and 0-9)

Slide 4-31
Reference

Understanding a Bitcoin Transaction

Total 21 million coins. Bitcoin processing speed is

Initial reward was 50 7 transactions/s
bitcoins (per accepted - VISA; 2,000-10,000
block), but it haves each transactions/s
210,000 blocks or about - PayPal: 200
4 years transactions/s

* Source: Nanda, R., R.F. White & A.

Tuzikov. 2017. Blockchain,
Cryptocurrencies and Digital Assets.
Harvard Business School, p. 10.

Slide 4-32
Case Discussions
Equifax: Really Big Data Think Your Smartphone is
Hacked (pp.254-255) Secure? (pp.264-265)
v What organizational and v What types of threats do
technological failures led to the smartphones face?
data breach at Equifax? v Are there any vulnerabilities
v What technical solutions are specific to mobile devices?
available to combat data breaches? v What qualities of apps make them a
v Have you or anyone you know vulnerable security point in
experienced a data breach? smartphone use?
v Are apps more or less likely to be
subject to threats than traditional P
C software programs?

Slide 4-33