1. E-COMMERCE PAYMENT SYSTEM
1.1. ONLINE CREDIT CARD TRANSACTIONS
1.1.1. Credit Card E-commerce Enablers
1.1.1.1. Internet payment service can provide both a merchant account and the software tools.
1.1.1.2. Authorize.net is an Internet payment sevices provider helps a merchant secure an account.
1.1.1.3. CyverSource is another well-known Internet payment service provider.
1.1.2. Limitations of Online Credit Card Payment Systems.
1.1.2.1. most importance :- security, merchant risk, administrative, transaction costs, social equity.
1.1.2.2. merchant designed to collect credit card numbers and the consumer could be a theif using stolen.
1.1.2.3. administrative costs of setting up an online credit card system and becoming authorized to accept credit cards.
1.2. ALTERNATIVE ONLINE PAYMENT SYSTEMS
1.2.1. online stored value payment system is permit consumers to make instant, online payment to merchant.
1.2.2. PayPal is the most commonly used online credit/debit card alternative.
1.2.3. Amazon Payments is aimed at consumer who have entrusting their credit card information.
1.2.4. Bill Me Later(eBay) appeals to consumers who do not wish to enter their credit card information online.
1.3. MOBILE PAYMENT SYSTEM: YOUR SMARTPHONE WALLET
1.3.1. Near field communication (NFC) is one of the enabling technologies for mobile payment systems.
1.4. DIGITAL CASH ANFD VIRTUAL CURRENCIES
1.4.1. Digital cash an alternative payment system in which unique, authenticated tokens represent cash value.
1.4.2. Virtual currency typically circulates within an internal virtual world community or is issued by a specific corporate entitty, and used to purchase virtual goods.
2. MANAGEMENT POLICIES,BUSINESS PROCEDURE,AND PUBLIC LAWS.
2.1. A SECURITY PLAN
2.1.1. 1)PERFOME A RISK ASSESMENT
2.1.1.1. an assesment of the risk and points of vulnerability.
2.1.2. 2)DEVELOP A SECURITY POLICY
2.1.2.1. can develop based on quantities list of risks
2.1.3. 3)DEVELOP AN IMPLEMENTATION
2.1.3.1. steps on you will take to achieve the security plan of risks.
2.1.4. 4)CREATE A SECURITY ORGANIZATION
2.1.4.1. to implementation your plan
2.1.4.2. to educates & train users keeps,management aware of securoty threats
2.1.5. 5)PERFORM A SECURITY AUDIT
2.1.5.1. involves routine review of access logs.
2.2. THE ROLE OF LAWS & PUBLIC POLICY
2.2.1. Private and Private-Public Cooperation Efforts
2.2.1.1. example:CERT Coordination Centre
2.2.2. Government Policies and Controls on Encryption Software
2.2.2.1. Various governments have proposed schemes for controlling encryption software or at least preventing criminals from obtaining strong encryption tools
3. PAYMENT SYSTEMS
3.1. TYPES OF PAYMENT
3.1.1. Cash
3.1.1.1. legal tender defined by a national authority to represent value
3.1.2. Checking Transfer
3.1.2.1. funds transferred directly via a signed draft or check from a consumer’s checking account to a merchant or other individual
3.1.3. Credit Card
3.1.3.1. Credit card associations
3.1.3.1.1. represents an account that extends credit to consumers, permits consumers to purchase items while deferring payment
3.1.4. Stored Value
3.1.4.1. account created by depositing funds into an account and from which funds are paid out or withdrawn as needed
3.1.4.1.1. debit card
3.1.5. Accumulating Balance
3.1.5.1. account that accumulates expenditures and to which consumers make periodic payments
3.2. PAYMENT SYSTEM STAKEHOLDER
3.2.1. CONSUMERS
3.2.1.1. low-risk,
3.2.1.2. Low-cost,
3.2.1.3. refutable
3.2.1.4. convenient
3.2.1.5. reliable payment mechanisms
3.2.2. MERCHANTS
3.2.2.1. low-risk
3.2.2.2. low-cost
3.2.2.3. irrefutable
3.2.2.4. secure
3.2.2.5. reliable payment mechanisms
3.2.3. FINANCIAL INTERMEDIARIES
3.2.3.1. secure payment systems that transfer risks and costs to consumers and merchants, while maximizing transaction fees payable to themselves
3.2.4. GOVERNMENT REGULATORS
3.2.4.1. in maintaining trust in the financial system
4. ELECTRONIC BILLING PRESENTMENT AND PAYMENT
4.1. system that enable the online delivery and payment of monthly bills. it also allow consumer to view bill electronically and pay them through electronic funds transfers from bank or credit card accounts.
4.1.1. MARKET SIZE AND GROWTH
4.1.1.1. Bitcoin is a form of digital currency, created and held electronically. No one controls it.
4.1.1.1.1. allow businesses to take and make payments much more easily than through channels like PayPal and credit cards.
4.1.1.1.2. designed to simulate mining for gold and to slowly increase the supply in the market.
4.1.1.1.3. consumer are also becoming more receptive to online bill payment, particularly via mobile device.
4.1.2. EBPP BUSINESS MODELS
4.1.2.1. biller direct
4.1.2.1.1. biller-direct system was originally created by utility companies that send millions of bills routinely online.
4.1.2.2. consolidator
4.1.2.2.1. consolidator model, third party such as a financial institution or a focused portal.
5. THE E-COMMERCE SECURITY ENVIRONMENT
5.1. DIMENSIONS OF E-COMMERCE SECURITY
5.1.1. Integrity
5.1.1.1. The ability to ensure that information being displayed on a Web site or transmitted or received over the Internet has not been altered in any way by an unauthorized party
5.1.2. Nonrepudiation
5.1.2.1. The ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions
5.1.3. Authenticity
5.1.3.1. The ability to identify the identity of a person or entity with whom you are dealing on the Internet
5.1.4. Confidentiality
5.1.4.1. The ability to ensure that messages and data are available only to those who are authorized to view them
5.1.5. Privacy
5.1.5.1. The ability to control the use of information about oneself
5.1.6. Availability
5.1.6.1. The ability to ensure that an e-commerce site continues to function as intended
5.2. THE TENSION BETWEEN SECURITY AND OTHER VALUES
5.2.1. Ease of Use
5.2.1.1. The more security measures added to an e-commerce site, the more difficult it is to use and the slower the site becomes
5.2.1.2. Digital security is purchased at the price of slowing down processors and adding significantly to data storage demands on storage devices
5.2.2. Public Safety and the Criminal Uses of the Internet
5.2.2.1. Encrypted files sent via e-mail were used by Ramzi Yousef
5.2.2.1.1. to hide plans for bombing 11 U.S. airliners
5.2.2.1.2. the Internet was also used to plan and coordinate the subsequent attacks
5.2.2.2. The case of Umar Farouk Abdulmutallab
5.2.2.2.1. make effective use of the Internet to radicalize, recruit, train, and coordinate youthful terrorists
5.2.2.2.2. allegedly attempted to blow up an American airliner
5.2.2.3. National Security Administration contractor Edward Snowden
5.2.2.3.1. release of classified NSA documents that revealed that the NSA had obtained access to the servers
5.2.2.3.2. NSA analysts have been searching e-mail, online chats, and browsing histories of U.S. citizens without any court approval
5.2.2.4. The U.S. government
5.2.2.4.1. informal tapping of telegraph wires
5.2.2.4.2. the first police wiretaps of local telephone systems were in place
5.3. Cyber crime against e-commerce sites is dynamic and changing all the time, with new risks appearing often
5.3.1. The amount of losses to businesses appears to be significant but stable
5.3.2. may represent a declining percentage of overall sales
5.3.3. firms have invested in security measures to protect against the simplest crimes
5.4. E-COMMERCE SECURITY
5.4.1. New technologies are available and should be used
5.4.1.1. These technologies by themselves do not solve the problem
5.4.1.2. Organizational policies and procedures are required to ensure the technologies are not subverted
5.4.1.3. Industry standards and government laws are required to enforce payment mechanisms
5.4.1.4. Investigate and prosecute violators of laws designed to protect the transfer of property in commercial transactions
6. TECHNOLOGY SOLUTION
6.1. PROTECTING INTERNET COMMUNICATIONS
6.1.1. Encryption
6.1.1.1. the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver
6.1.1.1.1. purpose of encryption is (a) to secure stored information and (b) to secure information transmission
6.1.2. Symmetric Key Encryption
6.1.2.1. both the sender and the receiver use the same key to encrypt and decrypt the message
6.1.3. Public Key Encryption
6.1.3.1. The mathematical algorithms used to produce the keys are one-way functions. A one-way irreversible mathematical function is one in which, once the algorithm is applied, the input cannot be subsequently derived from the output.
6.1.3.2. based on the idea of irreversible mathematical functions. The keys are sufficiently long (128, 256, and 512 bits) that it would take enormous computing power to derive one key from the other using the largest and fastest computers available
6.1.3.3. two mathematically related digital keys are used: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message
6.1.4. Public Key Encryption Using Digital Signatures and Hash Digests
6.1.4.1. digital signature (e-signature) “signed” cipher text that can be sent over the Internet
6.1.4.2. hash function an algorithm that produces a fixed-length number called a hash or message digest
6.1.5. Digital Envelopes
6.1.5.1. a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key
6.1.6. Digital Certificates and Public Key Infrastructure (PKI)
6.1.6.1. a digital document issued by a certification authority that contains the name of the subject or company, the subject’s public key, a digital certificate serial number, an expiration date, an issuance date, the digital signature of the certification authority, and other identifying information
6.1.6.2. certification authority (CA) a trusted third party that issues digital certificates
6.1.6.3. public key infrastructure (PKI) - CAs and digital certificate procedures that are accepted by all parties
6.1.6.4. Pretty Good Privacy (PGP) - a widely used e-mail public key encryption software program
6.1.7. Limitations to Encryption Solutions
6.1.7.1. PKI applies mainly to protecting messages in transit on the Internet and is not effective against insiders—employees—who have legitimate access to corporate systems including customer information.
6.1.7.2. Most e-commerce sites do not store customer information in encrypted form
6.1.7.3. no guarantee the person using your computer—and your private key—is really you
6.1.7.4. there is no guarantee the verifying computer of the merchant is secure
6.2. SECURING CHANNELS OF COMMUNICATIONS
6.2.1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
6.2.1.1. secure negotiated session - a client-server session in which the URL of the requested document, along with the contents, contents of forms, and the cookies exchanged, are encrypted
6.2.1.2. session key - a unique symmetric encryption key chosen for a single secure session
6.2.2. Virtual Private Networks (VPNs)
6.2.2.1. allows remote users to securely access internal networks via the Internet, using the Point-to-Point Tunneling Protocol (PPTP)
6.2.2.2. primary use of VPNs is to establish secure communications among business partners—larger suppliers or customers, and employees working remotely
6.2.2.3. Using the Internet and VPN as the connection method significantly reduces the cost of secure communications
6.2.3. Wireless (Wi-Fi) Networks
6.2.3.1. Wi-Fi networks used a security standard called Wired Equivalent Privacy (WEP) to encrypt information
6.2.3.1.1. WEP was very weak, and easy for hackers to crack
6.2.3.2. Wi-Fi Protected Access (WPA) was developed that provided a higher standard of protection, but this too soon became vulnerable to intrusion
6.2.3.3. the current standard is WPA2
6.2.3.3.1. WPA2 - wireless security standard that uses the AES algorithm for encryption and CCMP, a more advanced authentication code protocol
6.3. PROTECTING NETWORKS
6.3.1. Firewalls
6.3.1.1. refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy
6.3.1.2. controls traffic to and from servers and clients, forbidding communications from untrustworthy sources, and allowing other communications from trusted sources to proceed
6.3.1.3. can filter traffic based on packet attributes such as source IP address, destination port or IP address, type of service (such as WWW or HTTP), the domain name of the source, and many other dimensions
6.3.1.4. increasing use of firewalls by home and business Internet users has greatly reduced the effectiveness of attacks, and forced hackers to focus more on e-mail attachments to distribute worms and viruses
6.3.2. Proxy Servers
6.3.2.1. software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization
6.3.2.2. sometimes called dual-home systems because they have two network interfaces
6.3.2.3. To internal computers, a proxy server is known as the gateway, while to external computers it is known as a mail server or numeric address.
6.3.2.4. . The proxy server validates the user and the nature of the request, and then sends the request onto the Internet
6.3.2.5. improve Web performance by storing frequently requested Web pages locally, reducing upload times, and hiding the internal network’s address
6.3.3. Intrusion Detection and Prevention Systems
6.3.3.1. IDS - examines network traffic, watching to see if it matches certain patterns or preconfigured rules indicative of an attack
6.3.3.2. IPS - has all the functionality of an IDS, with the additional ability to take steps to prevent and block suspicious activities
6.4. PROTECTING SERVERS AND CLIENTS
6.4.1. Operating System Security Enhancements
6.4.1.1. most obvious way to protect servers and clients is to take advantage of automatic computer security upgrades
6.4.1.2. e. The most common known worms and viruses can be prevented by simply keeping your server and client operating systems and applications up to date
6.4.2. Anti-Virus Software
6.4.2.1. The easiest and least-expensive way to prevent threats to system integrity is to install anti-virus software
6.4.2.2. identify and eradicate the most common types of malicious code as they enter a computer, as well as destroy those already lurking on a hard drive
6.4.2.3. Anti-virus suite packages and stand-alone programs are available to eliminate intruders such as bot programs, adware, and other security risks
7. Security Threats in the E-commerce Environment
7.1. Malicious Code
7.1.1. Malicious code (sometimes referred to as “malware”) includes a variety of threats such as viruses, worms, Trojan horses, ransomware, and bots.
7.2. Potentially Unwanted Programs (pups)
7.2.1. the e-commerce security environment is further challenged by potentially unwanted programs (PUPs).
7.3. Hacking, Cybervandalism, Hacktivism, and Data Breaches
7.3.1. A hacker is an individual who intends to gain unauthorized access to a computer system.
7.3.2. hackers have malicious intentions to disrupt, deface, or destroy sites (cybervandalism) or to steal personal or corporate information they can use for financial gain (data breach).
7.3.3. Hacktivism adds a political twist. Hacktivists typically attack governments, organizations, and even individuals for political purpose.
7.3.4. A data breach occurs whenever organizations lose control over corporate information to outsiders.
7.4. Credit Card Fraud/theft
7.4.1. Theft of credit card data is one of the most feared occurrences on the Internet.
7.5. Spoofing, Pharming, and Spam (Junk) Web Sites
7.5.1. Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP address
7.5.2. Spam (junk) Web sites (also sometimes referred to as link farms) are a little different
7.6. Identity Fraud
7.6.1. Identity fraud involves the unauthorized use of another person’s personal data.
7.7. Denial of Service (DOS) and Distributed Denial of Service (DDOS) AttackS
7.7.1. A Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of computers to attack the target network from numerous launch points.
7.7.2. In a Denial of Service (DoS) attack, hackers flood a Web site with useless pings or page requests that inundate and overwhelm the site’s Web servers
7.8. Sniffing
7.8.1. A sniffer is a type of eavesdropping program that monitors information traveling over a network.
7.9. Poorly Designed Server and Client Software
7.9.1. Many security threats prey on poorly designed server and client software.
7.10. Social Network Security Issues
7.10.1. Social networks like Facebook, Twitter, LinkedIn, Pinterest, and Tumblr.
7.11. Cloud Security Issues
7.11.1. The move of so many Internet services into the cloud also raises security risks.