E-Commerce Infrastructure. Learning Objectives 1. Understand the major components of EC infrastructure. 2. Understand the importance and scope of security

E-Commerce Infrastructure

Learning Objectives1. Understand the major components of EC

infrastructure.2. Understand the importance and scope of

security of information systems for EC.3. Learn about the major EC security4. Identify and assess major technologies and

methods for securing EC access and communications.

5. Describe various types of online payment.

4-2Copyright © 2012 Pearson Education, Inc.

Publishing as Prentice Hall

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-3


The Information Security ProblemInformation Security

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Security is needed for:Personal informationFinancial informationBusiness informationNational information



EC Security threats and attacksThere are many threats for EC security:

Virus: A piece of software code that inserts itself into a program (host) and change the action of that program.

Worm: A software program that runs independently, consuming the resources of its host.

Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk



EC Security threats and attacksbanking Trojan: A Trojan that comes to life when

computer owners visit an e-banking or e-commerce sites.

denial-of-service (DoS) attackUsing specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

Spam: The electronic equivalent of junk mailHacker: Someone who gains unauthorized access to a

computer system.Cracker: A malicious hacker that may change codes

and steal information from the hacked systems.



EC Security threats and attacksZombies: Computers infected with malwarepage hijacking: Creating a rogue copy of a

popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites

Botnet: A huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet

This techniques is called ‘Phishing’4-8

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall



EC Security - Assurance ModelInternet Security Assurance Model:

Three security concepts important to information on the Internet: confidentiality, integrity, and availabilityConfidentiality: Assurance of data privacy and

accuracy.Integrity: Assurance that stored data has not been

modified without authorization; a message that was sent is the same message as that which was received

Availability: Assurance that access to data, the website, or other EC data service is timely, available, reliable, and restricted to authorized users



EC Security - Defense StrategyEC Security Requirements

Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website

Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform

Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction

Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it

Auditing Availability



EC Security - Defense StrategyEC Security Requirements

Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website

Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform

Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction

Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it

Auditing Availability



EC Security - Defense StrategySome of the technologies used to provide EC

Security:Anti-virus: to protect a computer from virusesAnti-spy: to protect a computer from spywaresFirewall: to protect a network from

unauthorized accessSecured Socket Layer (SSL): used to encrypt

data transferred between the server and the client.



The Payment RevolutionThere are different methods for online

payment:1. Using Payment Cards2. Smart Cards3. Stored-Value Cards4. Micropayment5. E-Checks6. Mobile Payment


The Payment RevolutionChoosing the E-Payment Method: Critical

factors that affect choosing a particular method of e-payment can be:IndependencePortabilitySecurity. Ease of UseTransaction FeesInternational SupportRegulations


Using Payment Cards OnlinePayment Card

Electronic card that contains information that can be used for payment purposesCredit cardsCharge cardsDebit cards

PROCESSING CARDS ONLINEAuthorization: Determines whether a buyer’s card is

active and whether the customer has sufficient fundsSettlement: Transferring money from the buyer’s to the

merchant’s account


Using Payment Cards OnlineFRAUDULENT CARD TRANSACTIONS

Key tools used in combating fraud: Address Verification System (AVS)

Detects fraud by comparing the address entered on a Web page with the address information on file with the cardholder’s issuing bank

card verification number (CVN)Detects fraud by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholder’s issuing bank


Smart Cardssmart card

An electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the cardcontact card

A smart card containing a small gold plate on the face that when inserted in a smart card reader makes contact and passes data to and from the embedded microchip

contactless (proximity) cardA smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device without contact between the card and the card reader


Smart Cardssmart card reader

Activates and reads the contents of the chip on a smart card, usually passing the information on to a host system

smart card operating systemSpecial system that handles file management, security, input/output (I/O), and command execution and provides an application programming interface (API) for a smart card


Stored-Value Cardsstored-value card

A card that has monetary value loaded onto it and that is usually rechargeableStored-value cards come in two varieties:

Closed loop are single-purpose cards issued by a specific merchant or merchant group

Open loop are multipurpose cards that can be used to make debit transactions at a variety of retailers


E-Micropaymentse-micropayments: Small online payments,

typically under $10 can be done using :1. Aggregation2. Direct payment3. Stored value4. Subscriptions


E-Checkinge-check

A legally valid electronic version or representation of a paper checkAutomated Clearing House (ACH) Network

A nationwide batch-oriented electronic funds transfer system that provides for the interbank clearing of electronic payments for participating financial institutions



Mobile PaymentsMobile payment: payment transactions

initiated or confirmed using a person’s cell phone or smartphone


Documents

E-Commerce Infrastructure. Learning Objectives 1. Understand the major components of EC infrastructure. 2. Understand the importance and scope of security