1. What is e-commerce security and why is it important?
2. How to identify threats to e-commerce?
3. How to determine ways to protect e-commerce from those threats? 4. What are electronic payment systems?
5. What are the security requirements for electronic payment systems? 6. What security measures are used to meet these requirements?
WHAT IS E-COMMERCE SECURITY
E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction.
6 dimensions of e-commerce security (Table 5.1)
1. Integrity: prevention against unauthorized data modification 2. Nonrepudiation: prevention against any one party from reneging on an agreement after the fact 3. Authenticity: authentication of data source
4. Confidentiality: protection against unauthorized data disclosure 5. Privacy: provision of data control and disclosure
6. Availability: prevention against data delays or removal
E-COMMERCE THREATS (Figure 5.4)
Threats: anyone with the capability, technology, opportunity, and intent to do harm.Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element.Terrorists, insiders, disgruntled employees, and hackers are included in this profile (President's Commission on Critical Infrastructure Protection)
Loss of Privacy/confidentiality, data misuse/abuse
Cracking, eavesdropping, spoofing, rootkits
Viruses, Trojans, worms, hostile ActiveX and Java
System unavailability, denial of service, natural disasters, power interruptions 18%
2001 Information Security Industry Survey
1. Intellectual property threats -- use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cybersquatting), software pirating 2. Client computer threats
– Trojan horse
– Active contents
3. Communication channel threats
– Sniffer program
4. Server threats
– Privilege setting
– Server Side Include (SSI), Common Gateway Interface (CGI) – File transfer
COUNTERMEASURE (Figure 5.5)
A procedure that recognizes, reduces, or eliminates a threat 1. Intellectual property protection
2. Client computer protection
– Privacy -- Cookie blockers; Anonymizer
– Digital certificate (Figure 5.9)
– Browser protection
– Antivirus software
– Computer forensics expert
3. Communication channel protection
* Public-key encryption (asymmetric) vs Private-key encryption (symmetric) (Figure 5-6) * Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES) – Protocol
* Secure Sockets Layer (SSL) (Figure 5.10)
* Secure HyperText Transfer Protocol (S-HTTP)
– Digital signature (Figure 5-7)
Bind the message originator with the exact contents of the message –A hash function is used to transform messages into a 128-bit digest (message digest). –The sender’s private key is used to encrypt the message digest (digital signature) –The message + signature are sent to the receiver
–The recipient uses the hash function to recalculate the message digest –The sender’s public key is used to decrypt the message digest –Check to see if the recalculated message digest = decrypted message digest 4. Server protection
– Access control and authentication
* Digital signature from user
* Username and password
* Access control list
– Firewalls (Figure 5.11)
International Computer Security Association's classification: · Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing) ·...