E-Commerce Infrastructure

Learning Objectives 1. Understand the major components of EC infrastructure. 2. Understand the importance and scope of security of information systems for EC. 3. Learn about the major EC security 4. Identify and assess major technologies and methods for securing EC access and communications. 5. Describe various types of online payment. 4-1 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

4-2

1. Security Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-3

The Information Security Problem Information Security Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction Security is needed for: Personal information Financial information Business information National information 4-4 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks There are many threats for EC security: Virus: A piece of software code that inserts itself into a program (host) and change the action of that program. Worm: A software program that runs independently, consuming the resources of its host. Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk 4-5 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks Banking Trojan: A Trojan that comes to life when computer owners visit an e-banking or e-commerce sites. Denial-of-service (DoS) attack Using specialized software to send a flood of data packets to the target computer with the aim of overloading its resources Spam: The electronic equivalent of junk mail. 4-6 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks Hacker: Someone who gains unauthorized access to a computer system. Cracker: A malicious hacker that may change codes and steal information from the hacked systems. Zombies: Computers infected with malware Page hijacking: Creating a rogue copy of a popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites 4-7 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security threats and attacks Botnet: A huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet ‘Phishing’ : the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online. 4-8 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Assurance Model Internet Security Assurance Model: Three security concepts important to information on the Internet: confidentiality, integrity, and availability Confidentiality: Assurance of data privacy and accuracy. Integrity: Assurance that stored data has not been modified without authorization; a message that was sent is the same message as that which was received Availability: Assurance that access to data, the website, or other EC data service is timely, available, reliable, and restricted to authorized users 4-9 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Defense Strategy EC Security Requirements Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it 4-10 Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

EC Security - Defense Strategy Some of the technologies used to provide EC Security: Anti-virus: to protect a computer from viruses Anti-spy: to protect a computer from spywares Firewall: to protect a network from unauthorized access Secured Socket Layer (SSL): used to encrypt data transferred between the server and the client. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-11

2. Payment Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-12

The Payment Revolution There are different methods for online payment: 1. Using Payment Cards 2. Smart Cards 3. Stored-Value Cards 4. Micropayment 5. E-Checks 6. Mobile Payment Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-13

The Payment Revolution Choosing the E-Payment Method: Critical factors that affect choosing a particular method of e-payment can be: Independence Portability Security. Ease of Use Transaction Fees International Support Regulations Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-14

Using Payment Cards Online Payment Card Electronic card that contains information that can be used for payment purposes Credit cards Charge cards Debit cards PROCESSING CARDS ONLINE Authorization: Determines whether a buyer’s card is active and whether the customer has sufficient funds Settlement: Transferring money from the buyer’s to the merchant’s account Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-15

Using Payment Cards Online FRAUDULENT CARD TRANSACTIONS Key tools used in combating fraud: Address Verification System (AVS) Detects fraud by comparing the address entered on a Web page with the address information on file with the cardholder’s issuing bank card verification number (CVN) Detects fraud by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholder’s issuing bank Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-16

Smart Cards smart card An electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card contact card A smart card containing a small gold plate on the face that when inserted in a smart card reader makes contact and passes data to and from the embedded microchip contactless (proximity) card A smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device without contact between the card and the card reader Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-17

Smart Cards smart card reader Activates and reads the contents of the chip on a smart card, usually passing the information on to a host system smart card operating system Special system that handles file management, security, input/output (I/O), and command execution and provides an application programming interface (API) for a smart card Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-18

Stored-Value Cards stored-value card A card that has monetary value loaded onto it and that is usually rechargeable Stored-value cards come in two varieties: Closed loop are single-purpose cards issued by a specific merchant or merchant group Open loop are multipurpose cards that can be used to make debit transactions at a variety of retailers Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-19

E-Micropayments e-micropayments: Small online payments, typically under $10 can be done using : 1. Aggregation 2. Direct payment 3. Stored value 4. Subscriptions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-20

E-Checking e-check A legally valid electronic version or representation of a paper check Automated Clearing House (ACH) Network A nationwide batch-oriented electronic funds transfer system that provides for the interbank clearing of electronic payments for participating financial institutions Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-21

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-22

Mobile Payments Mobile payment: payment transactions initiated or confirmed using a person’s cell phone or smartphone. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall4-23