ECT%20455/HCI%20513%20E-Commerce%20Web%20Site%20Engineering

1
ECT 455/HCI 513 E-Commerce Web Site Engineering

• Electronic Payment Systems
• Internet Transaction Security

2
Online Payment Systems

• Online payment is the foundation of systems for
  EC.
• How does it mesh with the past and current
  currency systems?
• credit cards, debit cards, ATM, banks
• Political Challenges
• What about taxes?

3
Electronic Payment Systems

• Efficient and effective payment services accepted
  by consumers and businesses are essential to
  e-commerce.
• Requirements
• Convenient for web purchasing
• Transportable over the network
• Strong enough to thwart electronic interference
• Cost-effective for extremely low-value
  transactions

4
Electronic Payment Systems

• Banking and Financial Payments
• Bank-to-bank transfer (EFT)
• Home Banking -- CitiBank, Wells Fargo
• Payment through an Intermediary
• Open Market
• First Virtual (FirstVirtual Pin)

Both refer to their earlier business models
5
Electronic Payment Systems

• Electronic Currency Payment Systems
• Electronic Cash -- CyberCash, Internetcash.com
• Electronic Checks -- NetCheque
• e-Wallets (Visa)
• Smart Cards
• American Express (blue smart card)
• Visa
• Micropayments
• echarge

6
More

• Retailing Payment Systems
• Credit Cards -- Visa or MasterCard
• Private Label Credit/Debit Cards
• Charge Cards -- American Express echarge
• Peer-to-peer payments (between consumers)
• PayPal (billpoint)

7
Credit-Card Transactions

• Popular form of payment for online purchases
• Resistance due to security concerns
• Many cards offer capabilities for online and
  offline purchases
• Prodigy Internet Mastercard
• American Express Blue

8
Online Credit-Card Transaction

• To accept credit-card payments, a merchant must
  have a merchant account
• Traditional merchant accounts accept only POS
  (point-of-sale) transactions
• Transactions that occur when you present your
  credit card at a store
• Card-not-present (CNP) transaction
• Merchant does not see actual card being used in
  the purchase
• Authentication
• The person is, in fact, who they say they are

9
Credit-Card Transaction Enablers

• Credit-Card Transaction Enablers
• Companies that have established business
  relationships with financial institutions that
  will accept online credit-card payments for
  merchant clients
• Trintech
• Cybercash (Verisign)

10
E-Wallets

• E-wallets
• Keep track of your billing and shipping
  information so that it can be entered with one
  click at participating sites
• Store e-checks, e-cash and credit-card
  information
• Credit-card companies offer a variety of
  e-wallets
• Visa e-wallets
• MBNA e-wallet allows one-click shopping at member
  sites
• A group of e-wallet vendors have standardized
  technology with Electronic Commerce Modeling
  Language (ECML)

11
Digital Currency

• Digital cash
• Stored electronically, used to make online
  electronic payments
• Similar to traditional bank accounts
• Used with other payment technologies (digital
  wallets)
• Alleviates some security fears online credit-card
  transactions
• Allows those with no credit cards to shop online
• Merchants accepting digital-cash payments avoid
  credit-card transaction fees

12
Smart Cards

• Smart card
• Card with computer chip embedded on its face,
  holds more information than ordinary credit card
  with magnetic strip
• Contact smart cards
• To read information on smart cards and update
  information, contact smart cards need to be
  placed in a smart card reader
• Contactless smart cards
• Have both a coiled antenna and a computer chip
  inside, enabling the cards to transmit
  information
• Can require the user to have a password, giving
  the smart card a security advantage over credit
  cards
• Information can be designated as "read only" or
  as "no access"
• Possibility of personal identity theft

13
Internet security

• Consumers entering highly confidential
  information
• Number of security attacks increasing
• Four requirements of a secure transaction
• Privacy information not read by third party
• Integrity information not compromised or
  altered
• Authentication sender and receiver prove
  identities
• Non-repudiation legally prove message was sent
  and received
• Availability
• Computer systems continually accessible

14
Secret-key Cryptography

• Encrypting and decrypting a message using a
  symmetric key

                                               
15
Secret-key Cryptography

• Distributing a session key with a key
  distribution center

16
Secret-key Cryptography

• Secret-key cryptography
• Same key to encrypt and decrypt message
• Sender sends message and key to receiver
• Problems with secret-key cryptography
• Key must be transmitted to receiver
• Different key for every receiver
• Key distribution centers used to reduce these
  problems
• Generates session key and sends it to sender and
  receiver encrypted with the unique key
• Encryption algorithms
• Dunn Encryption Standard (DES), Triple DES,
  Advanced Encryption Standard (AES)

17
Key Management

• Key management
• Handling and security of private keys
• Key generation
• The process by which keys are created
• Must be truly random

18
Public Key Cryptography

• Public key cryptography
• Asymmetric two inversely related keys
• Private key
• Public key
• If public key encrypts only private can decrypt
  and vice versa
• Each party has both a public and a private key
• Either the public key or the private key can be
  used to encrypt a message
• Encrypted with public key and private key
• Proves identity while maintaining security
• RSA public key algorithm www.rsasecurity.com

19
Public Key Encryption and Decryption
20
Public Key Cryptography

• Authentication with a public-key algorithm

21
Digital Signatures

• Digital signature
• Authenticates senders identity
• Run plaintext through hash function
• Gives message a mathematical value called hash
  value
• Hash value also known as message digest
• Collision
• Occurs when multiple messages have same hash
  value
• Encrypt message digest with private-key
• Send signature, encrypted message (with
  public-key) and hash function
• Timestamping
• Binds a time and date to message, solves
  non-repudiation
• Third party, time-stamping agency, timestamps
  messages

22
Using a digital signature to validate data
integrity
23
Digital Certificate

• A certificate is an electronic document used to
  identify an individual, a server, a company, or
  some other entity and to associate that identity
  with a public key.
• Public-key cryptography uses certificates to
  address the problem of impersonation
• Certificate authorities (CAs) are entities that
  validate identities and issue certificates. They
  can be either independent third parties or
  organizations running their own
  certificate-issuing server software

24
Digital Certificate

• A digital certificate includes
• the public key
• the name of the entity it identifies
• an expiration date
• the name of the CA that issued the certificate
• a serial number, and other information. Most
  importantly, a certificate always includes the
  digital signature of the issuing CA.
• The CA's digital signature allows the certificate
  to function as a "letter of introduction" for
  users who know and trust the CA but don't know
  the entity identified by the certificate.

25
Encryption Transaction SecuritySecret vs.
Public Key Encryption

• Secret-Key Encryption (single key)
• Symmetric encryption, DES
• Use a shared secret key for encryption and
  decryption
• Key distribution disclosure
• fast, for bulk data encryption

• Public-Key Encryption (Pair of keys)
• Asymmetric encryption, RSA (Rivest, Shamin,
  Adlemann)
• Private/Public keys
• Need digital certificates and trusted 3rd parties
• Slower
• For less demanding applications

26
Client Authentication

• Password-Based Authentication.
• A server might require a user to type a name and
  password before granting access to the server.
• The server maintains a list of names and
  passwords if a particular name is on the list,
  and if the user types the correct password, the
  server grants access.
• Certificate-Based Authentication.
• Client authentication based on certificates is
  part of the SSL protocol.
• The client digitally signs a randomly generated
  piece of data and sends both the certificate and
  the signed data across the network.
• The server uses techniques of public-key
  cryptography to validate the signature and
  confirm the validity of the certificate

27
Using a password to authenticate a client to a
server
28
Using a certificate to authenticate a client to
a server
29
Public Key Infrastructure, Certificates and
Certification Authorities

• Public Key Infrastructure (PKI)
• Integrates public key cryptography with digital
  certificates and certification authorities
• Digital certificate
• Digital document issued by certification
  authority
• Includes name of subject, subjects public key,
  serial number, expiration date and signature of
  trusted third party
• Verisign (www.verisign.com)
• Leading certificate authority
• Periodically changing key pairs helps security

30
SET Secure Electronic Transaction

• The SET protocol is a collection of encryption
  and security specification used as an
  industry-wide, open standard for ensuring secure
  payment transaction over the Internet.
• A payment protocol to accelerate development of
  e-commerce and to bolster consumer confidence

31
SET Secure Electronic Transaction

• SET establishes a method for interoperability of
  secure transactions software over multiple,
  popular hardware platforms and operating systems
• Developed by Visa and MasterCard, with GTE, IBM,
  Microsoft, Netscape, SAIC, Terisa Systems and
  Verisign.
• Based on encryption technology from RSA Data
  Security.

32
SET Secure Electronic Transaction

• Use digital certificates to authenticate all the
  parties involved in a transaction
• SET-compliant software validates both merchant
  and cardholder before exchange of information
• Employs public-key encryption and digital
  signature
• Complete documentation in visa.com

33
Secure Electronic Transaction (SET)

• SET protocol
• Designed to protect e-commerce payments
• Certifies customer, merchant and merchants bank
• Requirements
• Merchants must have a digital certificate and SET
  software
• Customers must have a digital certificate and
  digital wallet
• Digital wallet
• Stores credit card information and identification
• Merchant never sees the customers personal
  information
• Sent straight to banks
• Microsoft Authenticode
• Authenticates file downloads
• Informs users of the downloads author

34
Advantages of SET Over Channel Encryption

• Participants are authenticated via certificates
• Financial institutions provide assurance, not
  software
• SET allows a wallet to clearly distinguish a
  payment from other uses of web forms
• SET prevents terminated merchants from obtaining
  account information (three party transaction)

35
Merchant Benefits of SET

• More sales
• Increased trust in merchant
• Visa global acceptance
• Cost Savings
• Fewer losses from chargebacks
• Assured payment
• Reduced overhead
• Automated payment process

36
Secure Sockets Layer (SSL)

• A transport-level technology for authentication
  and data encryption between a Web server and a
  Web browser.
• SSL negotiates point-to-point security between a
  client and a server.
• SSL secures the routes of Internet communication,
  but it does not protect you from unscrupulous or
  careless people.
• Source www.Netscape.com
• Use Public Key
• Do not protect private information.

37
Secure Sockets layer (SSL)

• SSL
• Uses public-key technology and digital
  certificates to authenticate the server in a
  transaction
• Protects information as it travels over Internet
• Does not protect once stored on receivers server
• Peripheral component interconnect (PCI) cards
• Installed on servers to secure data for an SSL
  transaction

38
SET versus SSL

• SET
• Three party protocol
• Application protocol
• Trust requirement All participants have been
  authenticated for a specific role in payment card
  transaction processing

• SSL
• Two party protocol
• TCP/IP Communication protocol
• Trust requirement communicating with a trustable
  server