E Security E Payment

8/12/2019 E Security E Payment

1/70

1

E- Security & E-Payment

S.P.Sabnis

Don Bosco Institute of Technology


2/70

2

E-Security Any business Traditional BAM, a brink & click or a

pure E business, needs to be concerned aboutsecurity.

Internet being a public network any private

network connected to internet is exposed topotential threats from anywhere on the publicnetwork.

In the physical world, crime often leavesevidence such as finger prints. Similarly cybercrime also leaves physical electronic evidence,but unless good security measures are taken, itmay be difficult to trace the source of cyber

crime.


3/70

3

Goals of security

Integrity of the data sentand received

Confidentiality of data so

that it is not accessibleto others

The data ought to beavailable to the people

for whom it is meant.

Confidentiality

Integrity Availability


4/70

4

Violations of security

1. Interception: Intercept the data with theintent of spying on it.

The middle man just listening to yourcommunication. Imagine someone listening tothe National secrets.


5/70

5

2. Interruption: Interrupt the data and cut it offas shown.

Receiving the messages and disallowing thereceiver to receive them. The sender will believe,that the receiver has received the message butthe receiver has not received it. (Suppose youwant to fire a missile, but the missile software isnot receiving your commands, and worst is thatyou think missile is fired :)


6/70

6

3. Modification:Interrupt the data and modify itand send a different data to the receiver asshown.

The middle man receives the message, modifiesit and then send to the actual receiver.(Imagine if the target of missile is changed toyour country itself)


7/70

7

4. Fabrication: Fabricate fake data and send thenew data to receiver as shown.

The middle man will just fabricate a newmessage and will send it to the receiver. Thereceiver will believe that the message camefrom the sender. (Imagine Missile being fired to

your friendly nations :)


8/70

8

General security issues Connection to the internet Private computer

networks are at risk from potential threats fromanywhere on the public internet network.

Unknown risks New security holes andmethods of attacking networks are beingdiscovered with alarming frequency

Customer privacy and security of customerinformationNot only steps are required toprotect the privacy of customer information, butalso customers must be made aware of those

steps and have confidence in them. Security consciousness Management and

employees must understand the importance ofsecurity policies and procedures.


9/70

9

Network and website security risks

An e-business must protect itself againstunauthorised access to its computernetwork, denial of service trafficoverloads, and intrusion of destructive

viruses.

Malicious hackers or crackers, gain accessto steal valuable information such ascredit card numbers, attempt to disruptservice or cause any other damage.


10/70

10

Denial of service attacks

A DoS is an attack on a network that is designedto disable the network by flooding it with uselesstraffic or activity. A distributed denial of serviceor DDoS, attack uses multiple computers tolaunch a DoS attack. While DoS attack does notdo any technical damage, it can do a substantial

damage to an e-business, as every lost secondmay result in loss of revenue.

The attacker first breaks into thousands ofinsecure computers on the internet and install an

attack program. Then co-ordinates them all toattack the target simultaneously. The traditionaldefenses do not work against the attack and thesystem crashes.


11/70

11

The DoS attacks do not affect thedata on the website. They cannotsteal credit card numbers orproprietory information. Neither theycan transfer money out of bank

accounts. Still they are very serious. For most big corporations the biggest

risk of security breach is loss ofincome or loss of reputation, either

of which is achieved by aconspicuous DoS attack


12/70

12

Viruses Viruses are most common security risks faced by

e-businesses. Virus is a small program thatinserts itself into other program files therebyinfecting these files. The virus spreads wheninfected program is executed, which then infectsother programs.

The consequences of virus attack can be

Inability to boot

Deletion of file

Deletion of data on hard disc Inability to create files

Inability to save files


13/70

Logic Bomb : is a virus which is triggered by anevent, such as a combination of particular day &date

Trojanhorse:is a special type of virus thatemulates a benign application. It appears to dosomething useful but actually destroys files orcreates a back door entry to give access to an

intruder. Trojan horse may come as spam e-mailor through program download.

Worm:A worm replaces a document or anapplication with its own code & then copies itself.

Macro virus:It infects a MS word or Excel macro

(short program). It gets introducedinto acomputer system as a part of a word or excel filereceived through e-mail. Opening the mail or filetriggers the macro virus.


14/70

E-Business Risk Management Issues

For e-business e-security issues are business issues

and not just a technology issue. Therefore e-businesses must consider the direct financialimpact of such risks e.g.

1. Business interruptions caused by website

defacement or Denial of Service attacks2. Litigation and settlement costs over employees

inappropriate use of e-mail and internet

3. Product or service claims against items

advertised and sold via a website4. Web related copyright, trademark and patent

infringement lawsuits &

5. Natural or Weather related disasters.

14


15/70

E-business risk management program

An effective risk management program shall

include following

A. Network & Website security and intruderdetection programs.

B. Antivirus protectionC. Firewalls

D. Sound security policies and procedures

E. Employee education

F. Transfer of risk via insurance.

15


16/70

Firewall

An internet firewall is a system that enforces a

security policy between an organisations networkand the internet. The firewall decides which internal services may

be accessed from outside (internet) and whichoutside services can be accessed from inside.

All the traffic coming into & going out fromcompanys network must pass through firewall.Firewall implements a security policy. Thesecurity policy is informed to all the users. Itdefines responsibilities of users, defines networkaccess, local & remote user authentication etc.

Companys

Network Internet

FIREW

ALL


17/70

The sender sends data in the form ofpackets. Firewall checks the packet,applies the security policy and if thepacket passes the criteria laid by policy,the packet will be received by thereceiver.

A fire wall can be a router, a PC, acollection of PCs (called hosts). It createsa perimeter defense designed to protectthe information resources of theorganisation.


18/70


19/70

Controlled access to site systems:

Fire wall also provides the ability to

control access to site systems. E.g.some hosts can be made reachable fromoutside, whereas others can beeffectively sealed off from unwantedaccess.

Every user of network is authenticatedevery time. Only mail servers will be

open to everyone.


20/70

Concentrated Security

Firewall can be less expensive by locatingadditional security software on firewall systemrather than distributing on many hosts. Onetime password system and other add onauthentication software could be located at thefirewall.

Enhanced Privacy Using firewall, some sites wish to block

services like fingure and Domain name service,which displays information about users. These

could leak information to attackers which maybe used maliciously.


21/70

Need for usage statistics on Network

If all access to & from the internet passes

through firewall, the firewall can log accessesand provide valuable statistics about networkusage

With appropriate alarms firewall can alsoprovide details of suspicious activity thatoccurs, whether the firewall and network beingprobed or attacked.

Policy Enforcement:Firewall provides themeans for implementing and enforcing a networkaccess policy. Administrator can decide the wayuser access is controlled.


22/70

Components of a Firewall

The primary aspects of a firewall are

1. Network policy

2. Advanced authentication mechanism3. Packet filtering

4. Application gateways


23/70

Network Policy

There are two levels of policy

The higher level policy is an issue specificnetwork access policy that defines thoseservices which will be allowed or explicitlydenied from the restricted network. Also howthese services will be used and conditions for

exceptions to the policy

The lower level policy describes how firewallwill actually go about restricting the access

and filtering the services that are defined inthe higher level policy.


24/70

Service Access Policy

The idea is to provide balance between protectingnetwork from known risks, while still providingusers access to network resources.

Typical policy may be to allow no access to asite from the internet, but allow access from

the site to the internet. Another typical policy would be to allow limited

access to internet such as information serversand e-mail servers.

Firewall often implement service access

policies that allow some access from theinternet to selected internet hosts, but it willbe granted only if necessary with advancedauthentication.


25/70

Firewall design policy Firewall design policy defines the rules used to

implement the service access policy. Firewallsgenerally work on any one of the two basic designpolicies

1) Permit any service unless it is expressly denied.

2) Deny any service unless it is expresslypermitted.

The first policy allows all services to pass into the

site by default, with the exception of a few

disallowed services.The second policy denies all services by default ,

but passes those which are allowed. This policy is used

for information security


26/70

Advanced Authentication One of the reasons for security lapses on the

identity of internet users has been theweakness of traditional password. Intruders canmonitor the net for passwords that aretransmitted and thus traditional passwordshave become obsolete in securedenvironments.

Advance authentication measures such assmartcards, authentication tokens, biometricsand software based mechanisms are designedto counter the weaknesses of traditional

passwords.

The passwords generated by advancedauthentication device cannot be reused by anattacker who has monitored a connection.


27/70

Packet Filtering

IP packet filtering is done using a packetfiltering router. It usually filters IP packetsbased on some or all of the following fields Source IP address

Destination IP address

TCP/UDP source port

TCP/UDP destination port

Filtering can be used in a variety of waysto block connections from or to specifichosts or networks, and to blockconnections to specific ports


28/70

Application Gateways

To counter some of the weaknessassociated with packet filtering routers,firewalls need to use software applicationsto forward and filter connections forservices such as Telnet and FTP.

Such an application is referred as a proxyservice. The host running the proxyservice is called as applications gateway.

A combination of packet filter andapplication gateway provides a higherlevel of security


29/70

Benefits of Internet Firewall

Helps administrator to find out & keep awayhackers, crackers & spies It is a convenient point where internet

security can be monitored and alarmsgenerated

Internet firewall is the perfect point to auditor log internet usage.

It is point where you can deploy WWW &FTP servers.

It also provides a single point of failure,thereby if internet fails the companysprivate network still continue to operate


30/70

E-Payment Money is a social phenomenon, with its roots in

the barter economy. The payment systems haveevolved out of barter economy. The developmentof money as medium of exchange empoweredbuyers & sellers. The buyers and sellers

recognised that doing business becomes muchmore efficient if everyone used a commonlyaccepted form of payment.

The notion of money continues to evolve, driven

by marketplace preference for increasedconvenience and efficiency, and decreasing riskand costs. (e.g. development of card payment).

30


31/70

Digital payment requirements

Acceptability: Payment infrastructure

needs to be widely accepted. Anonymity: Identity of customers should

be protected.

Convertibility: Digital money should beconvertible to any type of fund.

Efficiency: Cost per transaction should benear to zero

Integration: Interfaces should be createdto support the existing system

31


32/70

Scalability: Infrastructure should notbreakdown if new customers andmerchants join.

Security: Should allow financialtransactions over open networks

Reliability: Should avoid single point offailure.

Usability: Payment should be as easy as inthe real world.

32


33/70

Online Payment Categories

Online payments can be broadly classified into

three categories as per table below

33

Category Description

Micropayments Transaction of Value less than 5 Euros or

Dollars. Transaction costs are nearly zero.

ConsumerPayments

Transaction value between 5 & 500 Euros orDollars. Payments are executed by credit card

transactions

BusinessPayments

Transaction value more than 500 Euros orDollars. Debit cards or invoices areappropriate solutions in this system


34/70

Digital Token Based E-Payment System

Western Union Charge Cards 1914

Bank of America card with revolving credit1958

Visa card 1970 Debit card Access funds in account using

electronic means

Now you can migrate the electronicpayments to wireless device such asmobile phone

34


35/70

Benefits to buyers

Convenience of global acceptance, a widerange of payment options.

Enhanced security and reduced liability for

stolen or misused card Consumer protection through an

established system of dispute resolution

Accessibility to immediate credit

35


36/70

Benefits to sellers Speed and security of the transaction processing

chain from verification and authorisation toclearing and settlement

Freedom from more costly labour, materials andaccounting services that are required in paper

based processing Better management of cash flow, inventory and

financial planning due to swift bank payment.

Incremental purchase power on the part of

consumer Cost & risk savings by eliminating the need to run

an in house credit facility.

36


37/70

Credit Cards as E Payment System

Why is it popular?

1. Payment is simple, anywhere & anycurrency

2. Transaction costs are hidden fromuser. (Paid by sellers and ultimatelyrecovered from all consumers andnot just credit card users)

3. The credit issuing company sharesthe transaction risk

37


38/70

Disadvantages of credit cards

High Transaction cost, Not suitablefor small value orders

Cannot be used by an individual formaking payment to other individual.

Security expenses are high

Users fear about security issues dueto unfamiliarity

38


39/70

E-Payments in India E-payment system in India is evolving

RBI started promoting automation in bankingfrom 1990 onwards

RBI has setup electronic clearing service (ECS)which was successful despite the varying level of

automation levels in Indian Banks It has also built the national electronic fund

transfer (EFT)

These systems will in turn promote credit and

debit card use in India RBI is also rolling out real time gross settlement

service (RTGS), with this Indian Banks andbusinesses will be better able to realise value of

e-payments to their operations 39


40/70

Encryption and Credit Cards the Encryption is done when credit card information is

entered into a browser or other e-commerce device

and sent securely over the net from buyer to seller asan encrypted message.However this has to be furthersecured by following sequence of steps.

1. A customer presents his credit card information along

with an authenticity signature.2. The merchant validates the customers identity as the

owner of the card account

3. The merchant relays the credit card chargeinformation and signature to its bank or online credit

card processor

4. The processor party relays the information to thecustomers bank for authorisation

5. The customers bank returns the credit card data,

charge authorisation to the merchant 40


41/70

In this scheme, each consumer and each vendorgenerates a public key and a secret key. The public keyis send to the credit card company and put on its public

key server. The secret key is re-encrypted with apassword, and unencrypted version is erased.

Credit card company assumes larger share of risk onboth buyer and seller in transaction. Buyers can

sometimes dispute a charge. While sellers are ensuredthat they will be paid for all the sales.

Most of the time credit card payments are the fastest

However the credit card transactions are not

anonymous and infact the companies compile valuabledata about spending habits.

41


42/70

New Payment Systems

These are roughly divided into 2 groups oneusing smart cards and other using internet. Thesesystems augment payment instruments with theuse of networks and electronics, while

maintaining the strength of older system They can be classified as

Cash substitution

Cheque substitution

Credit card substitution

Account transfer substitution systems

42


43/70

Smart Cards Smart cards are credit and debit cards and

similar, enhanced with microprocessors,capable of handling more information thanmagnetic strip (almost 80 times). These

cards use methods known as stored valuecard or electronic purse (similar to itz cardbut with m-processor). Units of prepaymentor currency value are electronically stored on

an IC imbedded in these cards

43


44/70

Features of Smart Cards

44

Processor cards (and therefore memory too)

Credit card size

With or without contacts.

Cards have an operating system too. The OS provides

A standard way of interchanging information

An interpretation of the commands and data.

Cards must interface to a computer orterminal through a standard card reader.


45/70

Smart Card Readers

Dedicated terminals

Usually with a small

screen, keypad, printer,often alsohave biometric devicessuch as thumb printscanner.

Computer based readers

Connect through USB or

COM (Serial) ports


46/70

Terminal/PC Card Interaction

The terminal/PC sends commands tothe card (through the serial line).

The card executes the command and

sends back the reply. The terminal/PC cannot directly

access memory of the card

data in the card is protected fromunauthorized access. This is whatmakes the card smart.


47/70

Security Mechanisms

Password

Card holders protection

Cryptographic challenge Response

Entity authentication

Biometric information

Persons identification

A combination of one or more


48/70

48

Whats Good About Cash? Anonymous- The seller

doesnt care who you are

Difficult to counterfeit(paper, printing methods,lots of new tricks)

Backed by the government

Trusted by everyone(Were all used to it)

A visible representation offunds (you can see whatyouve got)


49/70

49

Whats Bad About Cash?

Must be handled/observedby human eyesight orcostly photo-scanner

Fixed denominations -requires making change

Not suitable for use onthe Internet

Notes consume space,must be physically secured

No audit trail


50/70

What is E-cash

ECash is a legal form of computer-basedcurrency that can be securely purchasedand withdrawn by credit card, cheque,certified cheques, wire transfer, money

order and Electronic Cheque Processing(ECP).

50


51/70

51


52/70

52

Why eCash is Like Cash?

A representation of value

Anonymous - The seller doesnt

care who you are

i


53/70


54/70

E-Cash E Cash must have a monetory value, it

must be backed by either cash (currency),Bank authorised credit, or a bankerscheque

E-Cash must be interoperable (meansexchangeable as a payment)

E-cash must be storable and retrievable.Remote storage and retrieval (i.e usingphone line) will allow users to exchangee-cash.

E-cash should not be easy to copy or

tamper with while being exchanged. 54


55/70

E-Cash is based on cryptographic system called digitalsignature. It involves a pair of numeric keys (very largenumbers) that work in tandem, one for locking and other

for unlocking. Message encoded with one numeric keycan be decoded with other key only. The encoding key iskept private (with the bank)and decoding key is madepublic(i.e.buyers and sellers)

Purchasing e-cash involves 2 steps

Establishment of account

Maintaining enough money in the account

Using the account people can deposit or withdraw e-cash.When withdrawal is made the computer calculates the

denominations of currency needed and a random numberis generated using the note numbers of thesedenominations (for blinding) which is sent to the digitalbank. Bank then issues the required denominations in theencrypted message and debits the account


56/70

Cheque Payment systems on internet

Magnetic Link Character Recognition(MICR) Using the data printed at thebottom of cheque reader can read and

process cheque electronically CheckFree : Upon customer request, this

service issues an electronic cheque andexecutes settlement between customer &

retailer. This systems does chequeprocessing as well as issuance.

56


57/70

Electronic Cheque : In this system, aconsumer possesses an electronic cheque

book on PC Memory card called PCMCIAcard. As needed cheques are writtenelectronically from an e-chequebook onthe card. Then they are send over internet

to the retailer, who in turn sends thecheque to customers bank. Settlement isdone through financial network toappropriate place such as retailers bank

account.

57

Ri k & E P t S t


58/70

Risk & E-Payment System

There are three major risks in e-payment

1. Data Protection Abuse of data related to users.2. Data Reliability The authentication of parties.

3. Taxation Issues related to tax


59/70


60/70

Risks from mistakes & disputesOnceinformation is captured electronically it is easy &inexpensive to keep it stored.

Given intangible nature of electronic transactionsthe dispute resolution solely relies on records.Features of such records include

Permanent Storage

Accessibility & traceability

A payment system database

Data Transfer to Payment maker / bank /monetary authorities

Managing information privacy: All the recordsin e-payment system can be linked as they are ina single dossier. The e-payment system mustensure and maintain privacy.

i di i k d k


61/70

Managing Credit Risk: Credit risk is a majorconcern in net settlement system, becausebanks failure to settle its net position could lead

to chain reaction of bank failures. A digital centralbank must guarantee settlement and ensureliquidity of the banks.

Designing E payment system


62/70

Designing E-payment system Privacy User expects trustworthiness Security A secure system verifies the identitiy of two

party transactions through user authentication andenforce access control Intuitive Interfaces Payment interface must be easy

to use. Users value convenience more than anything. Database integration Customer may want to access

accounts stored in separate databases. The challenge

before banks is to tie these databases together andallow customers to access.

Brokers Someone to offer goods and services, settleconflicts and facilitate transactions must be in place.

Pricing The new systems for services cost money

but to attract customer using them subsidies may benecessary to offer. Standards Standards enable interoperability, giving

users the ability to buy and receive information,regardles of which bank is managing their money.

Major barrier to the growth of electronic commerce


63/70

Major barrier to the growth of electronic commerceis fear of lack of security.

Digital signatures provide data security and

integrity. This eliminates the fear of lack ofsecurity.

Digital signatures are often used to implementelectronic signatures, a broader term that refers to

any electronic data that carries the intent of asignature, however not all electronic signaturesuse digital signatures.

Digital signatures employ a type of asymmetric

cryptography. Thus in case of messages sentthrough a non secure channel, a properlyimplemented digital signature gives the receiver areason to believe that the message was sent bythe claimed sender.

63


64/70

64

H di it l t h l k ?


65/70

How digital technology works?

Digital Signature Creation

Digital Signature Verification Signer Authentication

Message Authentication

Assurance of genuinity of data in document

The sender uses his private key to compute thedigital signature. For this a one way hashingalgorithm is used to calculate a message digest.

Senders private key is used to encrypt themessage digest. The encrypted message digest iscalled as digital signature.

i i f h b f


66/70

A signature is not a part of the substance oftransaction, rather it represents the integrity.

As organizations move away from paperdocuments with ink signatures or authenticitystamps, digital signatures can provide addedassurances of the evidence to origin, identity,and status of an electronic document as well asacknowledging informed consent and approval bya signatory.

e.g. Government publishes electronic versions of

the budget, laws, etc. with digital signatures.Universities in US are publishing electronicstudent transcripts with digital signatures.

Signature and the law


67/70

Signature and the law Evidence: A signature authenticates the writing by

identifying the signer with the signed document

Legality: The act of signing a document calls to the signersattention, the legal significance of the signers act. Approval: Signature expresses the signers approval or

authorisation of the writing, or a claim that it has legalvalidity

Efficiency and logistics: A signature on a writtendocument often imparts a sense of clarity and finality to thetransaction and reduces the need to inquire beyond face of adocument.

Authenticity: To achieve the basic purpose of signture, itmust have following attributes Signer authentication i.e. a signature should indicate

who signed a document. Document authentication A signature should identify

what is signed , making it impracticable to falsify or alterthe mater or the signature without detection.

Affirmation : Affixing the signature serves the ceremonialand approval function of a signature and establishes legality.


68/70

Indian Websites that use digital signature

Shopping & Auction sites Sify Mall

Bazee

Fabmall

Rediff

Booking & Reservations Major Airline

Railways

Service companies Celluar Providers

ISPs

Net Banking ICICI, HDFC

Secure e-payment system process


69/70

Secure e payment system process Secured transaction process system is critical to e-

commerce. There are two common standards used forsecure e-payments SSL & SET

SSL Secured Socket Layer is a transport layer securityprotocol. SSL provides a simple encrypted connectionbetween the clients computer and merchants server overnet. It also provides authentication for merchants serverwith its digital certificate from certifying authority.

SET It is a messaging protocol designed by VISA andMasterCard for securing credit card transactions over opennetworks.

Three features of SET are

1. All sensitive information sent within three parties are

encrypted2. All three parties are required to authenticate themselveswith certificates

3. The members never sees the customers card number inplain text.


70/70

Thank You !

E Security E Payment

Documents

Transcript of E Security E Payment