Security

1
Security

• E-commerce security

2
E-commerce security

• Threats to E-commerce
• Who pays?
• Secure servers (https, SSL)?
• Key distribution, certificate authorities
• Reading Anderson, chapter 19

3
E-commerce threats

• Theft from company bank account
• Damage to site (defacement, DoS)?
• Theft of personal data about customers
• Not getting paid for a product
• stolen credit card
• dishonest customer repudiates purchase

4
Theft

• Insiders are the biggest threat
• most start-ups dont properly vet staff
• 35 of dot-com executives have shady pasts!
• Defense good access control, logging
• Defense properly vet staff!
• Important for all businesses

5
Damage to site

• Deface web site
• Pornography, rude language on home page
• Crash web site
• Distributed Denial of Service attacks
• Hack into lots of computers on the net, get all
  of these to flood the victim with packets, or
  otherwise attempt to deny service
• Difficult to stop

6
Attackers

• Hackers
• Go for high-profile sites
• Extortionists
• 50K or we crash your site
• Easy to do with distributed denial of service
• Organized crime

7
Defense

• Defacement can be stopped by standard security
  measures
• Distr. Denial of service is harder to stop
• Some tools, not sure how good
• Company can identify attacker to police
• As with conventional extortion
• Difficult when extortionist can be 10000 km away,
  in country with weak legal system

8
Loss of sensitive data

• Credit-card number
  who buys AIDS books
• Companies may not care
• Contractual issues
• Credit-card company may refuse to accredit you
  unless use SSL (encryption)?
• Legal risks (getting sued)?

9
Legal due diligence

• Legal defense due diligence
• Show you have done used best available
  technology to protect data.
• Firewalls are good for this.

10
Public disclosure

• E-commerce sites should (in principle) publicly
  reveal policies about security, privacy, data
• Some legal requirements in UK
• Best practice http//www.webtrust.org/download/fi
  nal-Trust-Services.pdf

11
Dont get paid for product

• Customer contests credit card purchase
• Card genuinely stolen
• Or customer forgot
• Or customer is lying
• If this happens a lot, a company may lose
  authorisation to accept credit cards payments!
• Means death for most e-commerce sites
• Ask customers to complain to you first

12
Types of credit card transactions

• Card present
• Payment is pretty much guaranteed if customer
  enters authenticated PIN
• Card pot present
• Wont get paid if customer disputes!
• Company can check online if card has been
  reported stolen, but is still liable
• Payment is more likely with password

13
Credit Card Procedures

• Players
• Retailer
• send request for payment
• Credit card service (e.g., BarclayCard Merchant
  Services)?
• Processes request
• Customers credit card issuer (e.g., bank)?
• Authorises request

14
Credit card service

• Accepts requests for payment
• Redirect customers to services web page
• Run services software on your server, which
  talks to their server
• Authorises payment
• Contacts credit card issuer
• Allows credit card issuer to request a password
• Sends money to your bank

15
BarclayCard Procedure
16
Credit card passwords

• Mandated for card-present from 2005 already
• When card not present, as with internet payment
• 'Verified by Visa', 'Mastercard SecureCode'
• Customer gives their bank a password for credit
  card
• Different from PIN password for plastic card!
• Customer gives password when buying online
• No refund (charge back) if customer denies

17
Requirements on retailer

• data security standards
• Must NOT store pins and security codes
• Use firewall, dont use default passwords,
  encrypt data, ..
• https//www.pcisecuritystandards.org/tech

18
Defense suspicious transactions

• Barclaycard suggests to be wary of
• Email addresses that dont work
• orders placed in middle of night
• unusual purchase patterns
• Some can be checked with software.

19
Defense digital money

• Alternative payment system
• Use cryptographic protocols to transfer money in
  guaranteed fashion
• Reduces risk to merchant
• But why should customers use digital money
  instead of credit cards?
• no advantage from their perspective...

20
PayPal credit card for individuals

• Handles credit-card transactions for individuals
  (e.g., auction buyer/seller)?
• Could move towards digital money if people wanted
  this

21
Cost of credit-card fraud

• 0.15 of international transactions
• 0.2 of UK transactions
• 1 of US transactions
• because US banks send out huge numbers of
  pre-approved credit cards, stolen
• presumably marketing gains outweigh loss
• E-commerce 20 times more likely to be disputed
  than face-to-face transactions

22
Who pays for damage?

• Who is liable if there is fraud
• Customer?
• Retailer (e-commerce site)?
• Credit-card company?
• Someone else?

23
ATM fraud

• Banks have tried to make customers pay by
  insisting fraud was impossible.
• Didnt care about minimising fraud, focus was on
  making customers pay
• But they have had to change strategy and admit
  that fraud is possible.

24
ATM Fraud case study

• John Munden suspended from his job after he
  complained to Halifax about fraudulent ATM
• Halifax claimed their system was bug-free because
  it was written in assembler (low level
  programming language), hence Munden was lying.
• One bank installed and then removed cameras
• great security measure, but it showed the bank
  thought fraud was possible
• Other banks pressured it to remove cameras!

25
Credit-card fraud liability

• Current e-commerce credit cards
• Retailer (e-commerce) pays if password not used
• Issuer of credit card pays if password used
• Probably will do utmost to get customer to pay!

26
Who bears risk

• Who pays if fraud is a contentious issue
• Businesses (especially banks) will do their best
  to make someone else pay
• Optimal strategy for them
• E-commerce sites should get good legal advice
  about such matters
• Customers should read the fine print

27
Andersons advice for startups

• Vet staff, be on lookout for insider fraud
• dont be clever and/or carried away by the latest
  security technology.
• Test code thoroughly
• Encourage customers to complain to you instead of
  credit-card company
• Get good legal advice

28
Secure Servers

• Servers which use cryptographic protocols (such
  as SSL) so that net traffic is private and
  authenticated
• credit card info cannot be read
• shipping addresses cannot be changed
• Required by credit card companies

29
Secure servers

• There are easier ways of getting card numbers
  than internet spying
• temp at Sainsburys for a few days
• credit card receipts from recycle bin
• bugging phones easier than tapping web!

30
Key distribution

• SSL requires public keys
• X must know Ys public key
• Usually embedded in a certificate
• X uses this to send encrypted session key for AES
  like (secret key) algorithm
• How can X learn Ys public key?
• How can I find out what Amazons public key
  (certificate) is?

31
Distributing keys

• PGP public keys individually distributed and
  signed
• I explicitly load Freds public key into PGP
• OK for small-scale
• SSL certificate authorities
• Amazon sends me its public key, I trust it (not
  hacked) because it is signed by a certificate
  authority (CA)?
• CAs public key is pre-loaded into my browser
• Can also check CAs database if I want
• Works for internet as a whole

32
Certificate Authorities

• Authenticate public keys by signing
• Also public database
• Revoke keys (browser may not check)?
• Sometimes user can explicitly check
• CA charges a few hundred pounds per year to store
  a public key
• Often free for personal email certificate

33
CA certification

• http//www.freessl.com/faq.htmlvalidation
• Method 1 fax articles of incorporation, have
  these checked by staff
• Slow, expensive, of some use
• Method 2 CA phones and chats to you
• Quick, cheap, useless
• Guess which is most popular

34
Thawte Web of Trust

• You get initial certificate for free, tentative
• You get notaries to verify your identity, then
  your name goes on the cert
• Notary asks for ID, may charge
• Directory of notaries
• Need 50 trust points, notaries can assign between
  10 and 35
• Can become a notary with 100 trust points
• www.thawte.com

35
Verifying Identity

• Probably the most important thing the root CA
  does
• Harder than the techy stuff
• Doing it right costs money
• What youre paying for when buy a cert
• Delegate to community (Web of Trust)?

36
Who certifies the CAs?

• OS and browser ship with keys for trusted root
  CAs pre-installed
• I.e., they are selected by Microsoft
• In XP, Microsoft can dynamically update trusted
  root CAs!
• Do we trust Microsoft to do a good job of
  selecting trustworthy CAs?

37
Webtrust

• OS and browser are shipped with keys for
  pre-installed trusted root CAs
• Microsoft has delegated to WebTrust the process
  of checking root CAs
• Collective of audit companies, like Ernst and
  Young, who treat this as auditing
• But can we trust the auditors
• Remember Arthur Anderson

38
Intermediate CAs

• Root CAs can validate Intermediate CAs
• Intermediate CAs arent pre-shipped in IE, dont
  need WebTrust validation
• Just need deal with root CA

39
Trust

• We still need to trust people
• Trust Microsoft and auditors to properly vet CAs
• Trust Microsoft to make sure there are no Trojan
  Horses in Windows or IE
• Trust the CA to properly vet applicants for
  certificates
• Still need to trust someone!