E- Security & E-Payment

S.P.Sabnis Don Bosco Institute of Technology

E-Security

Any business Traditional BAM, a brink & click or a pure E business, needs to be concerned about security. Internet being a public network any private network connected to internet is exposed to potential threats from anywhere on the public network. In the physical world, crime often leaves evidence such as finger prints. Similarly cyber crime also leaves physical electronic evidence, but unless good security measures are taken, it may be difficult to trace the source of cyber crime.

Goals of security

Confidentiality

Integrity

Availability

Integrity of the data sent and received Confidentiality of data so that it is not accessible to others The data ought to be available to the people for whom it is meant.

Violations of security

1.

Interception: Intercept the data with the intent of spying on it. The middle man just listening to your communication. Imagine someone listening to the National secrets.
4

2.

Interruption: Interrupt the data and cut it off as shown. Receiving the messages and disallowing the receiver to receive them. The sender will believe, that the receiver has received the message but the receiver has not received it. (Suppose you want to fire a missile, but the missile software is not receiving your commands, and worst is that you think missile is fired :)
5

3.

Modification: Interrupt the data and modify it and send a different data to the receiver as shown. The middle man receives the message, modifies it and then send to the actual receiver. (Imagine if the target of missile is changed to your country itself)
6

4.

Fabrication: Fabricate fake data and send the new data to receiver as shown.
The middle man will just fabricate a new message and will send it to the receiver. The receiver will believe that the message came from the sender. (Imagine Missile being fired to your friendly nations :)

General security issues

Connection to the internet Private computer networks are at risk from potential threats from anywhere on the public internet network. Unknown risks New security holes and methods of attacking networks are being discovered with alarming frequency Customer privacy and security of customer information Not only steps are required to protect the privacy of customer information, but also customers must be made aware of those steps and have confidence in them. Security consciousness Management and employees must understand the importance of security policies and procedures.
8

Network and website security risks

An e-business must protect itself against unauthorised access to its computer network, denial of service traffic overloads, and intrusion of destructive viruses. Malicious hackers or crackers, gain access to steal valuable information such as credit card numbers, attempt to disrupt service or cause any other damage.
9

Denial of service attacks

A DoS is an attack on a network that is designed to disable the network by flooding it with useless traffic or activity. A distributed denial of service or DDoS, attack uses multiple computers to launch a DoS attack. While DoS attack does not do any technical damage, it can do a substantial damage to an e-business, as every lost second may result in loss of revenue. The attacker first breaks into thousands of insecure computers on the internet and install an attack program. Then co-ordinates them all to attack the target simultaneously. The traditional defenses do not work against the attack and the system crashes.
10

The DoS attacks do not affect the data on the website. They cannot steal credit card numbers or proprietory information. Neither they can transfer money out of bank accounts. Still they are very serious. For most big corporations the biggest risk of security breach is loss of income or loss of reputation, either of which is achieved by a conspicuous DoS attack

11

Viruses

Viruses are most common security risks faced by e-businesses. Virus is a small program that inserts itself into other program files thereby infecting these files. The virus spreads when infected program is executed, which then infects other programs.

The consequences of virus attack can be Inability to boot Deletion of file Deletion of data on hard disc Inability to create files Inability to save files
12

Logic Bomb : is a virus which is triggered by an event, such as a combination of particular day & date Trojan horse: is a special type of virus that emulates a benign application. It appears to do something useful but actually destroys files or creates a back door entry to give access to an intruder. Trojan horse may come as spam e-mail or through program download. Worm: A worm replaces a document or an application with its own code & then copies itself. Macro virus: It infects a MS word or Excel macro (short program). It gets introducedinto a computer system as a part of a word or excel file received through e-mail. Opening the mail or file triggers the macro virus.

E-Business Risk Management Issues

For e-business e-security issues are business issues and not just a technology issue. Therefore ebusinesses must consider the direct financial impact of such risks e.g. 1. Business interruptions caused by website defacement or Denial of Service attacks 2. Litigation and settlement costs over employees inappropriate use of e-mail and internet 3. Product or service claims against items advertised and sold via a website 4. Web related copyright, trademark and patent infringement lawsuits & 5. Natural or Weather related disasters.
14

E-business risk management program

An effective risk management program shall include following

A. Network & Website security and intruder B.

C.
D. E. F.

detection programs. Antivirus protection Firewalls Sound security policies and procedures Employee education Transfer of risk via insurance.

15

Firewall
Companys Network

FIREWALL

Internet

An internet firewall is a system that enforces a security policy between an organisations network and the internet. The firewall decides which internal services may be accessed from outside (internet) and which outside services can be accessed from inside. All the traffic coming into & going out from companys network must pass through firewall. Firewall implements a security policy. The security policy is informed to all the users. It defines responsibilities of users, defines network access, local & remote user authentication etc.

The sender sends data in the form of packets. Firewall checks the packet, applies the security policy and if the packet passes the criteria laid by policy, the packet will be received by the receiver. A fire wall can be a router, a PC, a collection of PCs (called hosts). It creates a perimeter defense designed to protect the information resources of the organisation.

Various Purposes of a firewall

Protection of Vulnerable services

Firewall can greatly improve network security and reduce risks to hosts by filtering inherently insecure services. Only selected protocols will be able to pass through firewall. Firewall can also provide protection from routing based attacks, such as source routing and attempts to redirect routing paths to compromising sites

Controlled access to site systems:

Fire wall also provides the ability to control access to site systems. E.g. some hosts can be made reachable from outside, whereas others can be effectively sealed off from unwanted access. Every user of network is authenticated every time. Only mail servers will be open to everyone.

Concentrated Security
Firewall can be less expensive by locating additional security software on firewall system rather than distributing on many hosts. One time password system and other add on authentication software could be located at the firewall.

Enhanced Privacy
Using firewall, some sites wish to block services like fingure and Domain name service, which displays information about users. These could leak information to attackers which may be used maliciously.

Need for usage statistics on Network

If all access to & from the internet passes through firewall, the firewall can log accesses and provide valuable statistics about network usage With appropriate alarms firewall can also provide details of suspicious activity that occurs, whether the firewall and network being probed or attacked.

Policy Enforcement: Firewall provides the

means for implementing and enforcing a network access policy. Administrator can decide the way user access is controlled.

Components of a Firewall

The primary aspects of a firewall are 1. Network policy 2. Advanced authentication mechanism 3. Packet filtering 4. Application gateways

Network Policy

There are two levels of policy The higher level policy is an issue specific network access policy that defines those services which will be allowed or explicitly denied from the restricted network. Also how these services will be used and conditions for exceptions to the policy The lower level policy describes how firewall will actually go about restricting the access and filtering the services that are defined in the higher level policy.

Service Access Policy

The idea is to provide balance between protecting network from known risks, while still providing users access to network resources. Typical policy may be to allow no access to a site from the internet, but allow access from the site to the internet. Another typical policy would be to allow limited access to internet such as information servers and e-mail servers. Firewall often implement service access policies that allow some access from the internet to selected internet hosts, but it will be granted only if necessary with advanced authentication.

Firewall design policy

Firewall design policy defines the rules used to implement the service access policy. Firewalls generally work on any one of the two basic design policies 1) Permit any service unless it is expressly denied. 2) Deny any service unless it is expressly permitted. The first policy allows all services to pass into the site by default, with the exception of a few disallowed services. The second policy denies all services by default , but passes those which are allowed. This policy is used for information security

One of the reasons for security lapses on the identity of internet users has been the weakness of traditional password. Intruders can monitor the net for passwords that are transmitted and thus traditional passwords have become obsolete in secured environments.

Advanced Authentication

Advance authentication measures such as smartcards, authentication tokens, biometrics and software based mechanisms are designed to counter the weaknesses of traditional passwords.
The passwords generated by advanced authentication device cannot be reused by an attacker who has monitored a connection.

Packet Filtering

IP packet filtering is done using a packet filtering router. It usually filters IP packets based on some or all of the following fields
Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port

Filtering can be used in a variety of ways to block connections from or to specific hosts or networks, and to block connections to specific ports

Application Gateways

To counter some of the weakness associated with packet filtering routers, firewalls need to use software applications to forward and filter connections for services such as Telnet and FTP.

Such an application is referred as a proxy service. The host running the proxy service is called as applications gateway.
A combination of packet filter and application gateway provides a higher level of security

Benefits of Internet Firewall

Helps administrator to find out & keep away hackers, crackers & spies It is a convenient point where internet security can be monitored and alarms generated Internet firewall is the perfect point to audit or log internet usage. It is point where you can deploy WWW & FTP servers. It also provides a single point of failure, thereby if internet fails the companys private network still continue to operate

E-Payment

Money is a social phenomenon, with its roots in the barter economy. The payment systems have evolved out of barter economy. The development of money as medium of exchange empowered buyers & sellers. The buyers and sellers recognised that doing business becomes much more efficient if everyone used a commonly accepted form of payment. The notion of money continues to evolve, driven by marketplace preference for increased convenience and efficiency, and decreasing risk and costs. (e.g. development of card payment).

30

Digital payment requirements

Acceptability: Payment infrastructure needs to be widely accepted. Anonymity: Identity of customers should be protected. Convertibility: Digital money should be convertible to any type of fund. Efficiency: Cost per transaction should be near to zero Integration: Interfaces should be created to support the existing system
31

Scalability: Infrastructure should not breakdown if new customers and merchants join. Security: Should allow financial transactions over open networks Reliability: Should avoid single point of failure. Usability: Payment should be as easy as in the real world.

32

Online Payment Categories

Online payments can be broadly classified into three categories as per table below
Category Description

Micropayments

Transaction of Value less than 5 Euros or Dollars. Transaction costs are nearly zero. Transaction value between 5 & 500 Euros or Dollars. Payments are executed by credit card transactions Transaction value more than 500 Euros or Dollars. Debit cards or invoices are appropriate solutions in this system
33

Consumer Payments Business Payments

Digital Token Based E-Payment System

Western Union Charge Cards 1914 Bank of America card with revolving credit 1958 Visa card 1970 Debit card Access funds in account using electronic means Now you can migrate the electronic payments to wireless device such as mobile phone
34

Benefits to buyers

Convenience of global acceptance, a wide range of payment options. Enhanced security and reduced liability for stolen or misused card Consumer protection through an established system of dispute resolution Accessibility to immediate credit

35

Benefits to sellers

Speed and security of the transaction processing chain from verification and authorisation to clearing and settlement Freedom from more costly labour, materials and accounting services that are required in paper based processing Better management of cash flow, inventory and financial planning due to swift bank payment. Incremental purchase power on the part of consumer Cost & risk savings by eliminating the need to run an in house credit facility.
36

Credit Cards as E Payment System

Why is it popular? 1. Payment is simple, anywhere & any currency 2. Transaction costs are hidden from user. (Paid by sellers and ultimately recovered from all consumers and not just credit card users) 3. The credit issuing company shares the transaction risk

37

Disadvantages of credit cards

High Transaction cost, Not suitable for small value orders Cannot be used by an individual for making payment to other individual. Security expenses are high Users fear about security issues due to unfamiliarity

38

E-Payments in India

E-payment system in India is evolving RBI started promoting automation in banking from 1990 onwards RBI has setup electronic clearing service (ECS) which was successful despite the varying level of automation levels in Indian Banks It has also built the national electronic fund transfer (EFT) These systems will in turn promote credit and debit card use in India RBI is also rolling out real time gross settlement service (RTGS), with this Indian Banks and businesses will be better able to realise value of e-payments to their operations 39

Encryption and Credit Cards

1. 2. 3.

4. 5.

the Encryption is done when credit card information is entered into a browser or other e-commerce device and sent securely over the net from buyer to seller as an encrypted message.However this has to be further secured by following sequence of steps. A customer presents his credit card information along with an authenticity signature. The merchant validates the customers identity as the owner of the card account The merchant relays the credit card charge information and signature to its bank or online credit card processor The processor party relays the information to the customers bank for authorisation The customers bank returns the credit card data, charge authorisation to the merchant 40

In this scheme, each consumer and each vendor generates a public key and a secret key. The public key is send to the credit card company and put on its public key server. The secret key is re-encrypted with a password, and unencrypted version is erased. Credit card company assumes larger share of risk on both buyer and seller in transaction. Buyers can sometimes dispute a charge. While sellers are ensured that they will be paid for all the sales. Most of the time credit card payments are the fastest However the credit card transactions are not anonymous and infact the companies compile valuable data about spending habits.

41

New Payment Systems

These are roughly divided into 2 groups one using smart cards and other using internet. These systems augment payment instruments with the use of networks and electronics, while maintaining the strength of older system They can be classified as Cash substitution Cheque substitution Credit card substitution Account transfer substitution systems

42

Smart Cards

Smart cards are credit and debit cards and similar, enhanced with microprocessors, capable of handling more information than magnetic strip (almost 80 times). These cards use methods known as stored value card or electronic purse (similar to itz card but with m-processor). Units of prepayment or currency value are electronically stored on an IC imbedded in these cards

43

Features of Smart Cards

Processor cards (and therefore memory too) Credit card size

With or without contacts.

Cards have an operating system too. The OS provides

A standard way of interchanging information An interpretation of the commands and data.

Cards must interface to a computer or terminal through a standard card reader.

44

Smart Card Readers

Computer based readers Connect through USB or COM (Serial) ports

Dedicated terminals Usually with a small screen, keypad, printer, often also have biometric devices such as thumb print scanner.

Terminal/PC Card Interaction

The terminal/PC sends commands to the card (through the serial line). The card executes the command and sends back the reply. The terminal/PC cannot directly access memory of the card

data in the card is protected from unauthorized access. This is what makes the card smart.

Security Mechanisms

Password
Card holders protection

Cryptographic challenge Response

Entity authentication

Biometric information
Persons identification

A combination of one or more

Whats Good About Cash?

Anonymous - The seller doesnt care who you are Difficult to counterfeit (paper, printing methods, lots of new tricks) Backed by the government Trusted by everyone (Were all used to it) A visible representation of funds (you can see what youve got)

48

Whats Bad About Cash?

Must be handled/observed by human eyesight or costly photo-scanner Fixed denominations requires making change Not suitable for use on the Internet Notes consume space, must be physically secured No audit trail

49

What is E-cash

ECash is a legal form of computer-based currency that can be securely purchased and withdrawn by credit card, cheque, certified cheques, wire transfer, money order and Electronic Cheque Processing (ECP).

50

51

Why eCash is Like Cash?

A representation of value Anonymous - The seller doesnt care who you are

i
52

Why is eCash like a Credit Card?

Information is electronic, access is simple and fast Audit trail is optional and personal but available.

i
53

E-Cash

E Cash must have a monetory value, it must be backed by either cash (currency), Bank authorised credit, or a bankers cheque E-Cash must be interoperable (means exchangeable as a payment) E-cash must be storable and retrievable. Remote storage and retrieval (i.e using phone line) will allow users to exchange e-cash. E-cash should not be easy to copy or tamper with while being exchanged. 54

E-Cash is based on cryptographic system called digital signature. It involves a pair of numeric keys (very large numbers) that work in tandem, one for locking and other for unlocking. Message encoded with one numeric key can be decoded with other key only. The encoding key is kept private (with the bank)and decoding key is made public(i.e.buyers and sellers) Purchasing e-cash involves 2 steps Establishment of account Maintaining enough money in the account Using the account people can deposit or withdraw e-cash. When withdrawal is made the computer calculates the denominations of currency needed and a random number is generated using the note numbers of these denominations (for blinding) which is sent to the digital bank. Bank then issues the required denominations in the encrypted message and debits the account

Cheque Payment systems on internet

Magnetic Link Character Recognition (MICR) Using the data printed at the bottom of cheque reader can read and process cheque electronically CheckFree : Upon customer request, this service issues an electronic cheque and executes settlement between customer & retailer. This systems does cheque processing as well as issuance.

56

Electronic Cheque : In this system, a consumer possesses an electronic cheque book on PC Memory card called PCMCIA card. As needed cheques are written electronically from an e-chequebook on the card. Then they are send over internet to the retailer, who in turn sends the cheque to customers bank. Settlement is done through financial network to appropriate place such as retailers bank account.

57

Risk & E-Payment System

1. 2. 3.

There are three major risks in e-payment Data Protection Abuse of data related to users. Data Reliability The authentication of parties. Taxation Issues related to tax

Fraud, Financial mis-behaviour and tax avoidance are not found just in e-commerce , but e-commerce presents new ways to commit old crimes. E-commerce is difficult to regulate since 1. The scope of e-commerce and the technology involved changes rapidly. The pace of change is so rapid that the legal system can not evolve so fast. 2. The very nature of e-commerce technology is transnational. This leads to problems such as to which legal system has jurisdiction over ecommerce. Operation of e-commerce incurs risks of fraud or mistake, privacy issues and credit risk.

Risks from mistakes & disputes Once information is captured electronically it is easy & inexpensive to keep it stored. Given intangible nature of electronic transactions the dispute resolution solely relies on records. Features of such records include Permanent Storage Accessibility & traceability A payment system database Data Transfer to Payment maker / bank / monetary authorities Managing information privacy : All the records in e-payment system can be linked as they are in a single dossier. The e-payment system must ensure and maintain privacy.

Managing Credit Risk : Credit risk is a major concern in net settlement system, because banks failure to settle its net position could lead to chain reaction of bank failures. A digital central bank must guarantee settlement and ensure liquidity of the banks.

Designing E-payment system

Privacy User expects trustworthiness Security A secure system verifies the identitiy of two party transactions through user authentication and enforce access control Intuitive Interfaces Payment interface must be easy to use. Users value convenience more than anything. Database integration Customer may want to access accounts stored in separate databases. The challenge before banks is to tie these databases together and allow customers to access. Brokers Someone to offer goods and services, settle conflicts and facilitate transactions must be in place. Pricing The new systems for services cost money but to attract customer using them subsidies may be necessary to offer. Standards Standards enable interoperability, giving users the ability to buy and receive information, regardles of which bank is managing their money.

Major barrier to the growth of electronic commerce is fear of lack of security. Digital signatures provide data security and integrity. This eliminates the fear of lack of security. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, however not all electronic signatures use digital signatures. Digital signatures employ a type of asymmetric cryptography. Thus in case of messages sent through a non secure channel, a properly implemented digital signature gives the receiver a reason to believe that the message was sent by the claimed sender.
63

64

How digital technology works?

Digital Signature Creation Digital Signature Verification Signer Authentication Message Authentication Assurance of genuinity of data in document The sender uses his private key to compute the digital signature. For this a one way hashing algorithm is used to calculate a message digest. Senders private key is used to encrypt the message digest. The encrypted message digest is called as digital signature.

A signature is not a part of the substance of transaction, rather it represents the integrity.
As organizations move away from paper documents with ink signatures or authenticity stamps, digital signatures can provide added assurances of the evidence to origin, identity, and status of an electronic document as well as acknowledging informed consent and approval by a signatory. e.g. Government publishes electronic versions of the budget, laws, etc. with digital signatures. Universities in US are publishing electronic student transcripts with digital signatures.

Signature and the law

Evidence : A signature authenticates the writing by identifying the signer with the signed document Legality : The act of signing a document calls to the signers attention, the legal significance of the signers act. Approval : Signature expresses the signers approval or authorisation of the writing, or a claim that it has legal validity Efficiency and logistics : A signature on a written document often imparts a sense of clarity and finality to the transaction and reduces the need to inquire beyond face of a document. Authenticity : To achieve the basic purpose of signture, it must have following attributes Signer authentication i.e. a signature should indicate who signed a document. Document authentication A signature should identify what is signed , making it impracticable to falsify or alter the mater or the signature without detection. Affirmation : Affixing the signature serves the ceremonial and approval function of a signature and establishes legality.

Indian Websites that use digital signature

Shopping & Auction sites Sify Mall Bazee Fabmall Rediff Booking & Reservations Major Airline Railways Service companies Celluar Providers ISPs Net Banking ICICI, HDFC

Secure e-payment system process

1.

2.
3.

Secured transaction process system is critical to ecommerce. There are two common standards used for secure e-payments SSL & SET SSL Secured Socket Layer is a transport layer security protocol. SSL provides a simple encrypted connection between the clients computer and merchants server over net. It also provides authentication for merchants server with its digital certificate from certifying authority. SET It is a messaging protocol designed by VISA and MasterCard for securing credit card transactions over open networks. Three features of SET are All sensitive information sent within three parties are encrypted All three parties are required to authenticate themselves with certificates The members never sees the customers card number in plain text.

Thank You !

70