E-Commerce Security - PowerPoint PPT Presentation

About This Presentation
Title:

E-Commerce Security

Description:

Title: Slide 1 Author: JL Last modified by: ckfarn Created Date: 8/19/2003 10:49:27 PM Document presentation format: Other titles: Arial ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 44
Provided by: jl8689
Category:

less

Transcript and Presenter's Notes

Title: E-Commerce Security


1
E-Commerce Security
2
The Security Threats
  • Computer Crime and Security Survey 2002
  • 90 computers exposed to security violations
  • 40 computers detected external intrusions
  • 25 in 2000
  • 85 computers detected virus
  • How do companies protect itselves from this
    hostile environment?

Source Computer Security Institute (CSI)
3
Myths of Information Security
  • Protection against hackers
  • Protection against virus
  • Segregation of external threats

4
Brute Force Credit Card Attack Story
  • The Problem
  • Spitfire Novelties usually generates between 5
    and 30 transactions per day
  • On September 12, 2002 in a brute force credit
    card attack, Spitfires credit card transaction
    processor processed 140,000 fake credit card
    charges worth 5.07 each (62,000 were approved)

5
Brute Force Credit Card Attack (cont.)
  • The total value of the approved charges was
    around 300,000
  • Spitfire found out about the transactions only
    when they were called by one of the credit card
    owners who had been checking his statement online
    and had noticed the 5.07 charge

6
Brute Force Credit Card Attack (cont.)
  • Brute force credit card attacks require minimal
    skill
  • Hackers run thousands of small charges through
    merchant accounts, picking numbers at random
  • When the perpetrator finds a valid credit card
    number it can then be sold on the black market
  • Some modern-day black markets are actually
    member-only Web sites like carderplanet.com,
    shadowcrew.com, and counterfeitlibrary.com

7
Brute Force Credit Card Attack (cont.)
  • Relies on a perpetrators ability to pose as a
    merchant requesting authorization for a credit
    card purchase requiring
  • A merchant ID
  • A password
  • Both

8
Brute Force Credit Card Attack (cont.)
  • Online Datas credit card processing services,
    all a perpetrator needed was a merchants
    password in order to request authorization
  • Online Data is a reseller of VeriSign Inc. credit
    card gateway services
  • VeriSign blamed Online Data for the incident
  • Online Data blamed Spitfire for not changing
    their initial starter password

9
Brute Force Credit Card Attack Story (cont.)
  • In April 2002 hackers got into the Authorize.Net
    card processing system (largest gateway payment
    system on the Internet)
  • Executed 13,000 credit card transactions, of
    which 7,000 succeeded
  • Entry into the Authorize.Net system required only
    a log-on name, not a password

10
Brute Force Solution
  • Online Data should assign strong passwords at the
    start
  • Customers should modify those passwords
    frequently
  • Authorization services such as VeriSign and
    Authorize.Net should have built-in safeguards
    that recognize brute force attacks

11
Brute Force Credit Card Solution (cont.)
  • Signals that something is amiss
  • A merchant issues an extraordinary number of
    requests
  • Repeated requests for small amounts emanating
    from the same merchants

12
Brute Force Credit Card Attack (cont.)
  • The Results
  • VeriSign halted the transactions before they were
    settled, saving Spitfire 316,000 in charges
  • Authorize.Net merchants were charged 0.35 for
    each transaction
  • The criminals acquired thousands of valid credit
    card numbers to sell on the black market

13
Brute Force Credit Card Attack (cont.)
  • What we can learn
  • Any type of EC involves a number of players who
    use a variety of network and application services
    that provide access to a variety of data sources
  • A perpetrator needs only a single weakness in
    order to attack a system

14
Brute Force What We Can Learn
  • Some attacks require sophisticated techniques and
    technologies
  • Most attacks are not sophisticated standard
    security risk management procedures can be used
    to minimize their probability and impact

15
Accelerating Need forE-Commerce Security
  • Annual survey conducted by the Computer Security
    Institute and the FBI
  • Organizations continue to experience cyber
    attacks from inside and outside of the
    organization

16
Accelerating Need forE-Commerce Security (cont.)
  • The types of cyber attacks that organizations
    experience were varied
  • The financial losses from a cyber attack can be
    substantial
  • It takes more than one type of technology to
    defend against cyber attacks

17
Accelerating Need forE-Commerce Security (cont.)
  • According to the statistics reported to CERT/CC
    over the past year (CERT/CC 2002)
  • The number of cyber attacks skyrocketed from
    approximately 22,000 in 2000 to over 82,000 in
    2002
  • First quarter of 2003 the number was already over
    43,000
  • Computer Emergency Response Team (CERT) Group of
    three teams at Carnegie Mellon University that
    monitors incidence of cyber attacks, analyze
    vulnerabilities, and provide guidance on
    protecting against attacks

18
Security Is Everyones Business
  • Security practices of organizations of various
    sizes
  • Small organizations (10 to 100 computers)
  • The haves are centrally organized, devote a
    sizeable percentage of their IT budgets to
    security
  • The have-nots are basically clueless when it
    comes to IT security

19
Security Is Everyones Business (cont.)
  • Medium organizations (100 to 1,000 computers)
  • Rarely rely on managerial policies in making
    security decisions, and they have little
    managerial support for their IT policies
  • The staff they do have is poorly educated and
    poorly trainedoverall exposure to cyber attacks
    and intrusion is substantially greater than in
    smaller organizations

20
Security Is Everyones Business (cont.)
  • Large organizations (1,000 to 10,000 computers)
  • Complex infrastructures and substantial exposure
    on the Internet
  • While aggregate IT security expenditures are
    fairly large, their security expenditures per
    employee are low
  • IT security is part-time and undertrainedsizeable
    percentage of the large organizations suffer
    loss or damage due to incidents
  • Base their security decisions on organizational
    policies

21
Security Is Everyones Business (cont.)
  • Very large organizations (more than 10,000
    computers)
  • extremely complex environments that are difficult
    to manage even with a larger staff
  • rely on managerial policies in making IT security
    decisions
  • only a small percentage have a well-coordinated
    incident response plan

22
Security Issues
  • From the users perspective
  • Is the Web server owned and operated by a
    legitimate company?
  • Does the Web page and form contain some malicious
    or dangerous code or content?
  • Will the Web server distribute unauthorized
    information the user provides to some other party?

23
Security Issues (cont.)
  • From the companys perspective
  • Will the user not attempt to break into the Web
    server or alter the pages and content at the
    site?
  • Will the user will try to disrupt the server so
    that it isnt available to others?

24
Security Issues (cont.)
  • From both parties perspectives
  • Is the network connection free from eavesdropping
    by a third party listening on the line?
  • Has the information sent back and forth between
    the server and the users browser been altered?

25
Security Requirements
  • Authentication
  • The process by which one entity verifies that
    another entity is who they claim to be
  • Authorization
  • The process that ensures that a person has the
    right to access certain resources
  • Auditing
  • The process of collecting information about
    attempts to access particular resources, use
    particular privileges, or perform other security
    actions

26
Security Requirements (cont.)
  • Confidentiality
  • Keeping private or sensitive information from
    being disclosed to unauthorized individuals,
    entities, or processes
  • Integrity
  • As applied to data, the ability to protect data
    from being altered or destroyed in an
    unauthorized or accidental manner

27
Security Issues (cont.)
  • Non-repudiation
  • The ability to limit parties from refuting that a
    legitimate transaction took place, usually by
    means of a signature

28
Information Security Vulnerabilities
Intentional Unintentional or Natural Causes
Hardware exposure Thefts, vandalism, criminal acts Natural disasters, fire, floods, disk crash
Information exposure Alteration of data, systematic updates Incompetence of programmers, missing
Disclosure of information Unauthorized copy, network interception, fraud Careless
Network intrusions Theft of information, alteration of data, use of computers as a crime tool --
29
Safeguarding information
  • Assess exposure and risk
  • Identification and protect any possible threats
    and vulnerabilities
  • Technical and procedural preventions
  • Understanding the characteristics of security
    technologies
  • SOP Standard Operations Procedure
  • The strength of a chain is the strength of the
    weakest link

30
Basic Security Concepts
  • Security is never ABSOLUTE
  • The balance between security and ease of use
  • Security is costly
  • What is your exposure and potential loss?
  • How much are you willing to pay?
  • There are technical and social dimensions in
    security issues
  • All perpetrators are human beings
  • Mostly internal employees

31
Security and Ease of Use
  • What will you end up doing, if every time
  • You have to unlock 10 locks to get home
  • You have to lock 10 door before you leave
  • Risk and Security measures should be balanced

32
A simple case
  • When you take a vacation, you supervisor asks you
    to provide your password ..
  • Should you comply?
  • Can you refuse?
  • On what basis?

33
The Onion of Security
Insurance
Business Environment
International Standards
?? ??
Security Plan
Legal Environment
34
Some Basic Security Measures
  • Virus protection
  • Encryption
  • PKI/CA

35
Virus Protection
Files
Virus code
Programs
Anti-Virus S/W
Analyze Program Look for virus
Fix or Segregate
Pass
36
Encryption general concept
  • Eg. My Phone number 0916059841
  • Simple multiplication
  • Multiply by 13011908777933
  • I send it to you and you devide by 13
  • A simpler scheme
  • 9807797118664201455098988941411426975

9807797118664201455098988941411426975
9807797118664201455098988941411426975
Key we have to protect the encryption rule --Is
there any secrete?
37
Symmetry Key Encryption
Encrypt
S
Message
Encrypted Message
Decrypt
R
Encrypted Message
Message
38
The concept of two keys
  • You open a SAFE in a bank
  • Open Account
  • Verification of Identity
  • Get a key Private Key
  • Use
  • Verification of Identity, log
  • Bank officer take a public key, together with
    your private key, open the safe
  • Are you safe? Why?

39
Asymmetric Key Encryption
  • RSA scheme
  • Invented by three mathematicians with last names
    starts with R/S/A.
  • Mathematically generate a pair of keys, KA and
    KB
  • Generated simultaneously. KA and KB are
    independent, one cannot be derived from another.
  • A file encrypted by key KA can only be decrypted
    by KB and not A, and vice versa
  • KA is kept private, and KB is open publicly

40
Asymmetric Key Encryptionfor Confidentiality
Encrypt with Public Key
S
Message
Encrypted Message
Decrypt with Private Key
R
Encrypted Message
Message
41
Asymmetric Key Encryptionfor Non-repudiation
R Public Encrypt
S
Message
Encrypted Message
S Private Encrypt
R
R Public Decrypt
Encrypted Message
Message
S Private Decrypt
42
PKI/CA
  • PKI Public Key Infrastructure
  • Encryption scheme based on RSA encryption
  • An infrastructure for effective operations
  • CA Certificate Authority
  • Issuance of Keys
  • Trusted third party
  • Hierarchical structure of reference

43
Issuance of Certificate by CA
CA Certificate
Elec. Document
Issuer Issue Date Holder Public Keu

Issuance of Certificate by CA
XXXX Contract
Digital Signature
110111001
X509

John
Open for Public Identification


Private Key
Public Key
Write a Comment
User Comments (0)
About PowerShow.com