Electronic Commerce

1
Electronic Commerce

• Payment Security

2
Outline

• Fundamental Technology Secure Socket Layer
• Credit Card Transactions
• Secure Electronic Transactions
• Digital Cash PayPal
• Digital Wallets - .NET Passport
• Virtual Credit Card Numbers

3
Electronic Commerce

• How are consumer transactions secured on the WEB
  today?
• Secure Sockets Layer (SSL)
• Secure Electronic Transactions (SET)

4
SSL/TLS

• SSL
• Secure Socket Layer general purpose encryption
  system
• Developed by Netscape in 1994
• S-HTTP also introduced that same year
• Only worked with http
• Only available in a version of Mosaic that was
  not free
• Microsoft introduced PCT in IE 1996
• SSL won

5

• TLS
• Netscape gave IETF control over SSL
• IETF renamed it TLS
• Transport Layer Security

6
SSL Characteristics

• Operates at transport layer (above)
• Any application can use it not just Web browsers
• Not optimized for Web traffic
• Flexible in choice of algorithms
• DES, triple DES, RC2, RC4
• MD5, SHA
• RSA public/private keys, Diffie-Hellman
• Variety of key lengths

7

• Built in compression
• Following are encrypted
• URL of requested doc
• Contents of requested doc
• Contents of submitted fill-out forms
• Cookies sent from browser to server
• Cookies sent from server to browser
• Contents of http header

8
Location of SSL/TLS
9
SSL Operation Big Picture

• Two sides negotiate security parameters
• Webserver authenticates itself
• Browser may authenticate itself but rarely does
• Browser generates a random symmetric session key,
  sends to webserver
• Adds a digital signature and encrypts all
  messages with the symmetric key

10
SSL Operation - Detail

• Client opens connection to server and sends
  ClientHello message
• Lists capabilities of client including version of
  ssl, cipher suites, data compression methods
• Server responds with ServerHello message
• Server selects cipher suite and data compression
  method

11

• 3. Server sends its X.509 certificate
• 4. (optional) Server sends a client certificate
  request
• 5. (optional) Client sends its certificate

12

• 6. Client sends a ClientKeyExchange message
• Client generates random number to be used as
  secret
• Both client and server use secret to generate
  secret key
• Secret encrypted using servers RSA public key
  (from servers certificate)

13

• 7. (optional) Client sends a CertificateVerify
  message
• Authenticates client signed with clients
  private key
• Sends secret

14

• 8. Client and server send a ChangeCipherSpec
  message
• Confirms that both are ready to start
  communicating
• 9. Client and server send finished messages
• SHA and MD5 hashes of entire conversation

15

• Now start communicating using session key
• Another mode does not use certificates to
  exchange keys but rather Diffie-Hellman key
  exchange

16
SSL/TLS Operation
17
Importance of SSL/TLS

• Advantages
• De facto standard for Internet security
• Can be used by all browsers
• Disadvantages
• Does not involve security of data on merchant
  server after delivery
• Does not validate credit card numbers
• Viewed as an available but temporary approach to
  consumer security

18
How an Online Credit Card Transaction Works
19
Limitations of Online Credit Card Payment Systems

• Security
• Neither the merchant not the consumer can be
  fully authenticated
• Merchant Risk
• Consumers can repudiate charges
• Cost
• Roughly 3.5 of purchase plus transaction fee
• Social Equity
• Young adults do not have credit cards
• Almost 100 million adult Americans cannot afford
  cards or are considered poor risks

20
SET

• Secure Electronic Transactions
• Better than SSL
• Visa, MasterCard, Netscape, Microsoft developed
• More complex and expensive than SSL
• Specific for credit/debit card transactions

21
SET Services

• Authentication
• Customer
• Merchant
• Bank that issued customers cc
• Bank that handles merchants checking account

22

• Confidentiality
• Message Integrity
• Linkage
• Allows a message sent to one party to contain an
  attachment that can only be read only by another

23
Supports credit card features

• Cardholder registration
• Merchant registration
• Purchase requests
• Payment authorization
• Payment Capture

• Chargebacks
• Credits
• Credit reversals
• Debit card transactions

24
Summary

• Prevents merchant from seeing credit card
  number
• Provides authentication, confidentiality, and
  integrity of entire transaction amount customer,
  merchant, merchants bank, customers bank

25
SET Detail

• Customer initiates a purchase
• Fills out order form including description of
  merchandise and shipping information
• Hits pay button

26

• 2. Clients sends order and payment info in two
  messages
• Order information encrypted with merchants
  public key
• Payment information encrypted with banks public
  key
• Hash of both computed and signed with customers
  private key

27

• 3. Merchant passes payment information to bank
• Generates authorization request
• Signs with its private key
• Encrypted with session key and incorporated in
  digital envelope using banks public key

28

• 4. Bank checks validity of the card
• Verifies merchants identity
• Verifies customers identity
• Checks with customers bank for authorization

29

• 5. Card issuer authorizes and signs the charge
  slip
• Checks customers account
• Approves authorization request
• Returns charge slip to merchants bank

30

• 6. The merchants bank authorizes the transaction
• Sends back to merchants Web server
• 7. Merchants Web server completes transaction
• Shows confirmation page to customer
• Enters order into order processing system

31

• 8. Merchant captures the transaction
• Sends capture message to bank
• Confirms purchase and causes customers credit
  card to be charged
• 9. Card issuers sends credit card bill to customer

32

• Authentication step in every phase of SET
  protocol
• All parties must register themselves with CA
• Uses SHA, RSA 1024 bit keys, DES 56 bit key

33
(No Transcript)
34
How SET Transaction Work
35

• Certificates must be issued to credit card issuer
  and merchant bank
• Card holder registers cc with SET system and
  given public/private key pair and certificate
• Merchants bank gives merchant a certificate
• Uses SHA and 1024 bit RSA and DES

36
SET Status

• Initial standards are in place
• Will need to be extended over time
• Credit card companies are pushing
• Merchants are resisting
• Costs will increase
• Service fee cuts will be minimal
• Current browsers do not support SET

37
Digital Cash

• Also called e-cash
• Digital forms of value storage or value exchange
  that have limited convertibility into other forms
  of value and require intermediaries to convert
• Online stored value payment systems permit
  consumers to make instant, online payments to
  merchants and other individuals based on value
  stored in an online account

38
Examples of Digital Cash
39
PayPal

• Allows individuals to send money via email
• Also good for eBay to provide sellers and buyers
  to exchange money
• August 2001 over 9 million users
• About 20,000 new users and 3,000 business
  accounts sign up each day

40

• Fills niche credit card companies ignored
  individuals to accept credit card payments
• PayPal earns money
• Sellers 1.9 transaction 25 cents
• Interest earned on consumer funds not yet
  transferred out of the PayPal System

41

• Strength piggybacks on existing credit card and
  check payment systems
• Weakness suffers from relatively high levels of
  fraud related to credit card system

42
Types of PayPal Accounts

• Personal accounts are for individual use only and
  may not receive credit card payments. Personal
  accounts include all Core Features
• Premier accounts are for members who will have a
  high transaction volume, need to accept credit
  card payments, or would like access to our
  special features. Premier accounts include all
  Core Features, as well as Premium Features.
• Business accounts are for business use only.
  Business accounts include all Core Features, as
  well as Premium Features.

43
Core Features

• 5 Referral Bonus Earn 5 for each member you
  refer who completes the bonus requirements
• International Payments Send and receive payments
  with members in 38 countries
• Virtual Debit Card Pay anyone online using your
  PayPal account
• Account Insurance Your PayPal balance is FDIC
  insured up to 100,000
• Downloadable log Download your account history
  into a spreadsheet or QuickenEmail-based customer
  service

• Send Money Send payments to anyone with an email
  address
• Request Money Request payments from anyone with
  an email address
• Auction Tools Accept PayPal directly from your
  auction listingsAutomatically invoice your
  winning biddersAutomatically remind bidders
  about your auctions
• Accept payments on your website Create PayPal
  buttons and accept instant payments from your
  website
• Money Market Earn a rate of return on your
  PayPal account balance5

44
Premier and Business Account Features

• Accept unlimited credit card payments
• Subscriptions and Recurring Payments Implement
  subscription payments for your content or
  services
• ATM/Debit Card Get instant access to the funds
  in your PayPal account
• Mass Payments Make payments to hundreds of
  people at once
• Multiple Logins Give your employees limited
  access to your PayPal account
• 7 day-a-week customer service call center

45

• Create PayPal account at PayPal web site and
  supply
• Credit card information or
• Bank account information
• Only PayPal privy to this information
• Can pay someone directly

46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49

• When you use PayPal for a purchased money is
  withdrawn from credit card or bank account and
  transmitted to Automated Clearing House
• Receiving party notified via email
• If receiving party has PayPal account money
  automatically deposited

50

• Recipient can then
• Transfer to checking account
• Request paper check
• Use PayPal to send funds elsewhere

51
(No Transcript)
52
Digital Wallets

• Authenticates the consumer through the use of
  digital certificates or other encryption methods,
  stores and transfers value, and secures the
  payment process from the consumer to the merchant

53
(No Transcript)
54
Promised Functionality of Digital Wallets
55
Types of Digital Wallets
56
Digital Wallets

• Client-based digital wallets are software
  applications that consumers install on their
  computer, and that offer consumer convenience by
  automatically filling out forms at online stores
• Server-based digital wallets are software-based
  authentication and payment services and products
  sold to financial institutions that market the
  systems to merchants either directly or as a part
  of their financial service package
• Electronic Commerce Modeling Language is a
  standard of digital wallets

57
How Microsofts Passport Wallet Works
58
Virtual Credit Card Numbers

• Avoids risk of reuse of credit card number
• Each transaction issues one time use only credit
  card number
• Issuance of credit card number vulnerable to
  password crack

59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)