E-COMMERCE SECURITY AND

PAYMENT SYSTEMS
BY PUTERI SYAHEERA BINTI JAAFAR
ATIQAH AQILAH BINTI AHMAD MUFIT
NURUL AMIERA SYUHADA BINTI
RAZALI

E-COMMERCE SECURITY AND PAYMENT SYSTEMS

4.3 : TECHNOLOGY SOLUTIONS

Protecting Internet Communications

ENCRYPTION

The process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver

Purpose :* To secure stored information

* To secure information
transmission

In a substitution cipher, every occurrence of a

givenletter is replaced systematically by another letter
In a transposition cipher, the ordering of the letters
in each word is changed in some systematic way

a) Symmetric Key Encryption

The sender and receiver use the same key to encrypt and decrypt
the message
The possibilities for simple substituion & transposition
chiphers
In commercial
are endless :use, where we
In digital age,
Symmetric key
are not all part of
computers are so
encryption
the same
powerful and fast
requires that
team,you would
that these
both parties
nees a secret key
ancient means of
share the same
for each of the
encryption can
key
parties with
be broken quickly
whom you
transacted

 The Data Encryption Standard (DES)

Developes by the National Security

Agency(NSA) and IBM
Use a 56-bit encryption key

Advanced Encryption Standard (AES)

Most widely used symmetric key

encryption algorithm
Offering 128-,192- and 256-bit keys

b)

Public Key Encryption / Public Key Cryptography

Public Key Encryption Using Digital Signatures and

Hash Digest
Hash Function

Digital Signature

An algorithm that produces a

fixed-length number called a
hash or message digest

signed cipher text that

can be sent over the
Internet

Function can be simple

A close parallel to
handwritten signature

Count the number of

digital 1s in a message,it
can be more complex

Even more unique than

a handwritten signature

Produce a 128-bit number

that reflects the number of
0s and 1s

Unique to the document

and changes for every
document

d)
d) Digital
Digital Envelopes
Envelopes

A
A technique
technique that
that uses
uses symmetric
symmetric encryption
encryption for
for large
large documents,but
documents,but public
public key
key
encrypt
encrypt and
and send
send the
the symmetric
symmetric key
key
e)
e) Digital
Digital Certificates
Certificates and
and Public
Public Key
Key Infrastructure
Infrastructure (PKI)
(PKI)

Digital Certificate

PKI

Limitations to Encryption Solutions

There is no guarantee the verifying

computer of
the merchant is secure
CAs are self-selected organizations seeking
to gain
access to the business of authorization

PGP

PUBLIC AND PRIVATE KEY IN ENCRYPTION

SECURING CHANNELS OF COMMUNICATION

1. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Secure negotiated session

A client-server session in which the
URL of the requested document,along
with the contents,contents of forms
and the cookies exchanged are
encrypted.

Session Key
A unique symmetric encryption key
chosen just for this single secure
session

 SSL/TLS provides data encryption,server

authentication, optional client authentication and
message integrity for TCP/IP connections

Protects the integrity of the messages

exchanged

Cannot provide irrefutability

Virtual Private
Networks (VPNs)
* Allows remote users to securely
access a corporations local area
network via the Internet,using a
variety of VPN protocols
* Use authentication and encryption
to secure information from
unauthorized persons
* Reduces the cost of secure
communications

Wireless (Wi-Fi) Networks

Wired Equivalent Privacy ( WEP )
Wifi Protect Access ( WPA)
WPA2 wireless security standard that
uses the AES algorithm for encryption
and CCMP.

PROTECTING NETWORKS
1. Firewalls
Refer to either hardware or software that filters
communication packets and prevents some
packets from entering the network based on a
security policy
Controls traffic to and from servers and clients
Forbidding communication from untrustworthy
sources
Allowing other communications from trusted
sources to proceed
Can filter traffic based on packet attributes

2 Major method firewalls

Packet filters

Application
gateways

2. Proxy Servers
Software server that handles all communications originating
from or being sent to the Internet
Called dual-home systems because they have two network
interfaces
To internal computers known as the gateway
To external computers known as a mail server or numeric
address

Instrusin Detection and Preventation Systems

Instrusion detection system
(IDS)
Examines network
traffic,watching to see if it
matches certain patterns or
preconfigured rules indicative of
an attack

Instrusion prevention
system (IPS)
Has all the functionality of an
IDS,with the additional ability to
take steps to prevent and block
suspicious activities

PROTECTING SERVERS AND CLIENTS

1. Operating System Security
Enhancements
To take advantage of automatic computer
security
upgrades
Users can easily download these security patches
for free

2. Anti-Virus Software Prevent by simply keeping server and client

operating
systems
and applications up to date
Easiest and least-expensive way
to prevent
threats to
system integrity is to install anti-virus
software
Anti-virus programs can be set up so that email
attachments are inspected before click on

4.4 - MANAGEMENT POLICIES, BUSINESS

PROCEDURES, AND PUBLIC LAWS

 Worldwide, in 2013, companies are

expected to spend over $65 billion on
security hardware, software and
services (Gartner,2013)
Public laws and active enforcement of
cybercrime statues are required to both
raise the costs of illegal behavior on
internet and guards against corporate
abuse of information

A security plan: Management

Policies

To minimize security threats, e-commerce firm must develop coherent

corporate policy that takes into ;

Figure 4.12 DEVELOPING AN ECOMMERCE

SECURITY PLAN

A security plan begins with;

1. Risk assessment an assessment of the risk and points of
vulnerability

First step: to inventory the information and knowledge assets

of the e-commerce site and company.

Example of information risk: Customer information, proprietary

designs, business activities, secret process and other internal
information.

Security policy a set statements prioritizing the information

risks, identifying acceptable risk targets, and identifying
the mechanism for achieving these targets.

Second step: Determined to be the highest priority in risk

assessment.

Example risk assessment : who generates and control this

information in this firm? What existing security policies?
and etc

. Implementation plan The steps will take a achieve the

security plan goals
Third step: Determine the levels of acceptable risk
into a set of tools, technologies, policies, and
procedures.
Need an organizational unit in charge of security and a
security officer

The security organization educates and trains users,

keep management aware of security threats and
breakdowns and maintain tools chosen to implement
security.
Access control determine which outsider and insiders
can gain
legitimate access to networks.
Outsider : Access controls firewalls and proxy servers
Insider : Login procedures (username, passwords, and
access codes)

 Authentication procedures use of digital

signatures, certificates of authority.
Biometric devices its verify physical attributes
associates with an individual such as fingerprint or
retina (eye) scan or speech recognition system.

 Security tokens are physical devices or

software that generate an identifier that can
use in addition or place password
Authorization policies differing levels of
access to information assets
Authorization management systems:
when user is
permitted to access certain parts of
website

5. Security Audit- the routine review the access

logs (identifying how outsider using site as well)
Monthly report should be produce the activities
patterns.
Many small firms have sprung up in the last five
years to provide these service to large corporate
sites.

THE ROLE OF LAWS AND PUBLIC

POLICIES
Voluntary and private efforts have played a very
large role in identifying criminal hackers and assisting
law enforcement.
Majority of states now require companies maintain
personal data on their residents
By increasing the punishment of cybercrimes ;
- U.S government create a deterrent to further
hacker action
By making such actions federal crimes ;
- Government is able extradite international
hackers and
prosecute them within the U.S

Table 4.5 U.S E-COMMERCE SECURITY LEGISLATION AND

REGULATION

PRIVATE AND PRIVATE-PUBLIC COOPERATION

EFFORTS
Several organization some private and
some public are devoted to tracking down
criminal organizations and individual attack
against internet
Private organization CERT Coordination
Center at Carnegie Mellon University;
- CERT monitors and track online criminal
activity
- Assist organization in identifying;

GOVERNMENT POLICIES AND CONTROLS ON ENCRYPTION SOFTWARE

United States, both Congress and the executive branch
have sought to regulate the uses of encryption and to
restrict availability and export of encryption system;
means to preventing crime and terrorism
Four organization have influenced the international
traffic in encryption software :

BY PUTERI, AMIERA, ATIQAH

E-COMMERCE SECURITY AND PAYMENT SYSTEMS

4.3
4.4

- TECHNOLOGY SOLUTIONS

MANAGEMENT POLICIES,
BUSINESS
PROCEDURES, AND PUBLIC LAWS
-

QUESTIONS
1. List 4 key dimension of e-commerce security
2. Explain what is firewall in protecting network ?
3. List out the steps of developing an ecommerce
security plan.

ANSWERS
1.
.
.
.
.

4 key of dimension of e-commerce security :

Message intergrity
Nonrepudiation
Authentication
Confidential

2. Firewall in protecting network :

. Controls traffic to and from servers and clients
Forbidding communication from untrustworthy
sources
3. Steps of developing an ecommerce security plan.
. Perform a risk assessment
. Develop a security policy
. Develop a implementation plan
. Create a security organization
. Perform a security audit

BY PUTERI, ATIQAH, AMIERA