CIS 451: E-Commerce Security & Payment Systems

Ralph WestfallJuly, 2009

Reasons for Not Buying Online 31% privacy/security (students 28%) 28% less customer service (22%) 9% not interactive enough (15%) 8% high prices (11%) 4% can't feel product (4%) Source: Ahuja, Gupta, Raman (2003)

see table at end of report

Need for Security “Internet is inherently insecure” “crimes can be committed

remotely” very little evidence for prosecutors

to use “programs automate hacking”

from Ghosh, 1998

Identity Theft 9.9 million identity fraud victims in

2008 usually not directly related to E-

Commerce email requests for information ("phishing")

rather than web site security failures women were 26 percent more likely to

be victims of identity fraud than men

Key Security Issues (PAIN) privacy - messages not read in transit authentication - be sure of identity of

seller possibly buyer also

integrity - messages not changed in transit

nonrepudiation - neither buyer or seller can deny they received message

PAIN Security Issue Examples Privacy (not intercepted)

message from A to B doesn't go to C also Authentication (not "spoofed")

message from C doesn't look like it's from A Integrity (not modified in transit)

A's message not modified by C before B sees it

Nonrepudiation (can't be denied) B can't say message from A not received,

and A can't say response from B not received

Public Key Cryptography public key given to anybody

e.g. on e-mail signature can find whole public keys at keyserver.net

(was down today) public key created from private key

private key is kept secret a shorter public "fingerprint" can be created

software uses a public key to encode data must have private key to decode message

Pretty Good Privacy (PGP) uses public key cryptography

free 30-day trial version GnuPG is a freeware replacement don't lose your keys!

government filed lawsuit against author corporate products for business security

e-mail, file transfer, etc. electronic commerce

Digital Certificate key element in most security schemes adds an attachment to an electronic

message that verifies the identity of sender

provides key to receiver to encode reply issued by a "certificate authority" (CA)

confirms identity of person/organization

Certificate Authority trusted 3rd party (not buyer or seller)

usually a bank, credit card company, etc.

issues digital certificates creates digital signatures and

public/private key pairs guarantees identity of certificate

holder

Some Certificate Authorities Verisign Thawte (21 day free trial) InstantSSL (free certificate, but

have to subscribe to a Root Authority later) guide to use

S/MIME secure extension to MIME

specification Multipurpose Internet Mail Extensions

is the standard that makes possible to include images, HTML formatting etc. in email

built into many email readers Outlook, Outlook Express, Apple Mail, etc.

MIME security problems in past

OpenPGP nonproprietary protocol for

encrypting email and messages can be used by any company without

paying licensing fees bought back from Network Associates

in 2002 offers an alternative to S/MIME

some vendors are implementing both in their software

Image Recognition Tests CAPTCHA - completely automated

public Turing test to tell computers and humans apart

designed to foil software programs (bots) that get data from web sites

very difficult for software to identify characters but not so hard for humans

email unsubscribe example

Security Protocols and Systems SSL - secure sockets layer SET - secure electronic

transactions Cybercash

SSL - Secure Sockets Layer from Netscape, built into their browsers uses public key cryptography

40 or 128 bit keys (every extra bit doubles the security e.g., 10 bits more = x 1000)

authenticates that data comes from URL address requested by user not from another site pretending to be

that site ensures that data isn’t changed in transit

Secure Sockets Layer - 2 need to enable and configure SSL on server

Netscape server or using Netscape’s SSLRef program

library an ISP can handle this for you

need to identify specific pages requiring SSL access web address starts with https (S is for

secure; see Blackboard login, etc.) web page author implements this

Secure Sockets Layer - 3 need to get a “certificate”

certificate proves identity of your company Verisign charges $399 for retail sites (40

bits, 1 year, $100,000 loss coverage) search for organizations with certificates

certificates not popular with consumers use passwords instead on your site to verify

customers’ identities

Secure Sockets Layer - 4 advantages

established in marketplace relatively inexpensive doesn't require anything special from

user disadvantage

extra processing slows down server

Microsoft's Windows Live ID formerly called Passport Network electronic "wallet" for card

number, name, address and other information

automates purchase user doesn't have to type in much

information free to consumers

.NET Passport supposedly has a lot of users

have to sign up to use new MS software eBay stopped accepting it at end of 2004 do you know anybody actually using it? security problem in 2003

Microsoft also used to offer a Kids Passport for parental control of release of information

Liberty Alliance an alternative to Microsoft's

propriety approach to Passport participating organizations can

maintain their own data rather than letting Microsoft hold it

is an "open standards" approach currently emphasizing preventing

identity theft

Cybercash concept was to make it possible to

get a little bit of money from a lot of customers 1¢ x 1 million customers = $10,000 up to this point, can't cost effectively

process lots of very small transactions PayPal doesn't handle really small

transactions, but is strong in this niche

PayPal lets users pay by email strong relationship with E-Bay (online

auctions), then bought by E-Bay handles eighteen currencies worldwide 50 million accounts

free personal use, but businesses receiving payments are charged a fee fixed 30 cents and 1.9-2.9 % of amount

PayPal Vulnerabilities? use by organized crime led to fines

and being prohibited for a while in some states

at one time could be hacked so that that buyers could reduce item prices or get software for free one vendor is selling a proposed

solution to the above vulnerabilities

Mobile Payments buy things via a mobile device, using

cell phone number as password usually involve "virtual goods"—

music, games, etc. very cheap when sold in large volumes typically sell for around $2 or less phone carrier may get up to half of cost Investors Bet on Payments via Cellphone

Common E-Commerce Security Vulnerabilities

SQL injection attack includes SQL syntax characters (e.g., single quote) or keywords in user inputs error messages may reveal ways to

access restricted pages Guess.com and Petco.com sites were

found to be vulnerable to such attacks

Security Vulnerabilities - 2 total cost of order can be reduced

payment confirmation page holds total cost in an HTML hidden field

a "web application proxy" can change the data sent back to the server, so that when user confirms transaction, the amount is less than actual cost (free web application proxy security tool)

Security Vulnerabilities - 3 buffer overflows (e.g., caused by

pasting a lot of text [6000+ bytes] into a text box) may print error messages that reveal path to specific code functions that can be used to hack into sites

Security Vulnerabilities - 4 cross-site scripting

inserts script (e.g., JavaScript) into text that is sent back to a new web page

for example, a search engine sends the keywords back with the results page

script could be used to get information from a cookie on user's machine

or user might be redirected to a "phishing" web site and asked for password

Exercise test some online forms

eCommerce, mortgage refinancing, etc. include "special characters" in inputs

' (single quote), " (double), < (HTML), <% (ASP), <? (XML), \ (escape), +, ? or * (wild card characters), & (concatenation), @ (email or compiler directive), others?

report back on what happened

References Ahuja, A., Gupta, B., and Raman, P., "An Empirical

Investigation of Online Consumer Purchasing Behavior," Communications of the ACM, December, 2003, pp. 145-151.

Dembeck, C., "Online Credit Card Security Fears Waning, But Still a Factor," E-Commerce Times, March 8, 2000 .

Ghosh, A. K, "Security in Internet Electronic Commerce," invited presentation to Defending Cyberspace '98, September 24, 1998, Washington, D.C.

Internet Marketing Center, "Enabling Technologies: Encryption Overview," Internet Marketing Center

Mookey, K. H., "Common Security Vulnerabilities in e-commerce Systems," Security Focus, April 26, 2004.