Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004.

Published byJanice Irene Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004."— Presentation transcript:

1 An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004

2 About me Joint Computer Science and Information Systems Honours. Interest in computer security and its implications in e-commerce. Email: g01b0633@campus.ru.ac.za

3 Definition of project in one sentence An investigation into e-commerce frauds, and how they are best avoided by internet merchants.

4 The Problem and Background

5 What is E-commerce ? “E-commerce focuses on the electronic exchange of information using information and telecommunications infrastructures to perform a wide range of commercial activities that can be divided into business- to-consumer and business-to-business sectors” - Hutchinson and Warren [2003] Project focuses on business-to-consumer

6 Importance of E-Commerce Electronic commerce is a “strategic imperative for most competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies” - VeriSign [2004]

7 E-Commerce statistics General increase in the use of e-commerce around the world. The number of online banking accounts in South Africa grew by 28% to 1.04 million in the last year. These figures are expected to increase to 30% in 2004. 17 percent of Americans used online banking services by the end of 2002 and this figure will continue to grow by 14 percent up to the end of 2007. US Online Retail revenue is projected to increase from $ 47.8 Billion in 2002 to 130.3 billion in 2005

8 Fraud statistics Fraud complaints rose by around two- thirds in the US according to the Federal Trade Commission (FTC) from 2001 to 2002. The cost of fraud in 2002 more than doubled that in 2001.

9 Fraud statistics (Continued)

10 Result of combination of statistics “Hacker cleans out bank accounts.” “Hundreds of thousands of rands stolen via Internet from Absa clients.”  Who covers the costs? Irreversible damage to Absa’s image. “New security fears for web banking” “Major online credit card theft exposed” Why are these breaches still taking place?

11 My Approach 1. Identify types of threats, types of attacks, methods of attack and opportunities for attack in the e-commerce transaction. 2. Identify requirements of secure e-commerce and mechanism used to secure e-commerce. 3. Critically analyse e-commerce security mechanisms 4. Analyse e-commerce fraud case studies 5. Formulate options and recommendations for securing e- commerce.

12 Threats Vandalism and sabotage – defacing web site Denial of service – flooding of service Breach of privacy or confidentiality – disclosure of personal info Theft and fraud – theft and use of credit card number Violations of data integrity – changing of an orders delivery address Repudiation – denying a transaction took place

13 Securing E-Commerce 3 Fronts 1.Merchant - System offering service - Web server and OS - Firewalls, encrypted data stores 2. Transport - Channel between the client and merchant - Protocols (SSL, SET) 3.Client - System accessing the service - Difficult to secure and control

14 E-commerce Security Requirements Four basic security requirements of e- commerce transactions : 1. Authentication – proof of identity 2. Confidentiality – keeping data “secret” 3. Data integrity – Ensuring data doesn’t change while transported by unauthorised entity 4. Non-repudiation - prevents a denial of actions by a person or entity

15 Mechanisms used to secure e- commerce SSL Payment Protocols Pseudo Card Numbers Used in combination with: Passwords, Tokens, and Biometrics for authentication

16 Secure Socket Layer (SSL) Provides confidentiality, authentication, and data integrity through the use of PKI. Resides above the transport layer and below the application layer at the socket layer in the protocol stack. Most prominent e-commerce protocol

17 SSL - Downfalls Does not provide non-repudiation or facilitate transferring of payments. Leaves payment details up to merchant. Credit Card details can be read by the merchant and may be vulnerable to theft if the data store is not encrypted.

18 Scenario 1 Insecure Merchant

19 Scenario 2 Illegitimate Merchant

20 Payment Protocols Merchant has no need to read credit card details Guarantee the merchant receives payment Keeps credit card details confidential Eliminates storage of credit card details on merchants system

21 Scenario 3 Payment protocol

22 Secure Electronic Transactions (SET) Technical standard for secure payments focusing on credit cards Developed by MasterCard and VISA. Failed to be adopted. Why?  Certificate management was cumbersome  Comparatively Slow and Expensive to implement.  Non portable.

23 Pseudo credit card numbers Temporary credit card numbers that are valid for 1 transaction only. Advantages:  No insecure merchant problem.  Easy and cost effective to implement – transparent to merchant.

24 Pseudo Credit Card Numbers (Cont) Disadvantages  Relatively new and not yet widely adopted  Merchant may have to stop accepting real credit card numbers.

25 CD Universe Case Study In 1999 hacker broke into CD Universe’s systems stealing 300 000 credit card numbers. Hacker demanded $100 000 or would release the details publicly. Demand was not met and the hacker published details allowing the download of 25 000 number by several thousand visitors.

26 CD Universe Case Study Suggested cause of intrusion:  Credit cards stored unencrypted (Insecure Merchant problem)  MSNBC follow up found that many e- commerce site’s credit card databases can be accessed simply by connecting through a SQL Server.  Many have no encryption, or authentication.

27 Options and Recommendations Options involving SSL only or SSL along with a client authentication techniques have major weaknesses. SSL in combination with pseudocard numbers is technically more secure and easy to adopt, but not widely enough adopted. Payment protocols in combination with client authentication techniques are the most viable and secure methods of securing payment.

28 Questions

Download ppt "An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
CP3397 ECommerce.

CP3397 ECommerce.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
E-Commerce Security Brett Hinshaw Kevin Hooker Jeff Hunter Shane Worrell.

E-Commerce Security Brett Hinshaw Kevin Hooker Jeff Hunter Shane Worrell.
Chapter 8 Web Security.

Chapter 8 Web Security.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
장홍예 Telecommunication Engineer Lab 2001.9.19 1 E-COMMERCE: TECHNICAL AND MARKET APPROACH.

장홍예 Telecommunication Engineer Lab E-COMMERCE: TECHNICAL AND MARKET APPROACH.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.

Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google