Electronic Payment Systems Presented by Rufus Knight Veronica Ogle Chris Sullivan As eCommerce grows, so does our need to understand current methods of Electronic Payment Systems.

Outline Introduction to Project Electronic Cash Presentation Electronic Checks Presentation Credit Card Payments Presentation Conclusion Questions

Introduction Our Group has: –Created a web site on three types of electronic payment systems Electronic Cash Electronic Checks Credit Card Payments –Focused on Security Issues, Protocols, and Real World Implementations of each Method

eCash Currency & Micropayments

eCash What is eCash? –A class of technologies that provide an analog of cash represented in electronic form. –Replicates properties of real cash (anonymity, low transaction cost, etc). –Can be spent or given away. –Quick and easy on line transactions. –Implemented with smart cards or just software.

eCash Transaction Model eCash Model

eCash What are Micropayments? –Small valued transactions (.10 - $10) –Suitable for the sale of non-tangible goods over the Internet. –Imposes requirements on speed and cost of processing of the payments. –Delivery occurs nearly instantaneously on the Internet, and often in arbitrarily small pieces. –Need for security is reduced.

Micropayment Transaction Model Micropayment Model

eCash Security Public Key Cryptography Coins –2 pairs of integers (serial number, calculated value -> (a, f(a)) ) a -> serial number f -> one-way hash function –E.g Bank uses RSA algorithm and its private key to sign a.

eCash Blinding (ensures privacy) –r -> blinding factor –Person sends f(a)r to Bank –Bank signs and returns –Person divides it with r The Bank does not know r so it can’t trace identity of the coin when it is cashed later

eCash Example Systems: –DigiCash (software-based) –Mondex (card-based) –NetBill (micropayments)

eChecks Credit-Debit System

Electronic Checks (eChecks) Designed to perform the payment and other financial functions of paper checks by using cryptographic signatures and secure messaging over the Internet Based on the idea that electronic documents can be substituted for paper, and that public key cryptographic signatures can be substituted for handwritten signatures

eChecks (cont.)

Three aspects faced in order for eCheck transactions to take place: –Private key possession and control -- The signature verifier must believe that the signer has exclusive possession of his signing key The electronic checkbook, in the form of a PIN- activated tamper-resistant smart card or similar cryptographic hardware, performs a signing algorithm so that the private signing key is always kept inside the trusted hardware and is never read into the signer's networked personal computer or server

eChecks (cont.) The electronic checkbook is aware of echeck syntax and logs critical data from echecks to provide the signer with a trusted log of signing actions –Key pair generation -- The signature verifier must believe that the private/public key pair was generated such that the private key cannot be guessed by an attacker based on knowledge of the public key The electronic checkbook performs key generation within the tamper-resistant hardware using algorithms that have been properly tested and certified by the manufacturer

eChecks (cont.) Only the public key is exported from the hardware, and the private key is never revealed to anyone –Public key infrastructure -- The signature verifier must be able to trust that the public key provided for use in verifying the signature really belongs to the signer and is the other half of the signer's public key pair The public key exported from the card is included in a certificate signed by the bank's Certification Authority The bank echeck servers keep an independent database of the bank’s signers’ public keys so that they always know the most current relationships of keys to accounts and signers

eChecks (cont.) Areas of fraud and how eChecks prevent them: –Duplicate detection Each echeck is guaranteed to be unique by the operations of the electronic checkbook The payee and payee's bank detect and refuse duplicate submissions of echecks The payer's bank detects duplicates and pays only one instance of an echeck Prevents multiple payments due to innocent retransmissions of and prevents a payee from cashing and depositing an echeck in two different accounts

eChecks (cont.) –Payee identification Echecks can be made out to the payee's bank routing code and either an account or customer ID number Also can be made out to the payee's public key These parameters uniquely identify the payee and prevent an eavesdropper from exploiting the ambiguity of payee identification, which otherwise exists if only payee common names are used

eChecks (cont.) –Electronic account numbers The account number of the echeck is a randomly chosen number assigned by the bank for the purpose of writing and depositing The payer's and depositor's echeck account numbers are mapped to their paper check account numbers by their respective banks The banks will not accept paper checks or drafts written against the echeck account numbers This prevents an eavesdropper or corrupt payee from printing and passing paper checks or drafts against the account numbers

eChecks (cont.) –Cryptographically attached invoices Invoices can be sent to detail the purpose of the payment, and can be signed by the echeck signature binding them to the echeck and ensuring their authenticity and integrity This prevents an attacker from intercepting an echeck and purchase order, changing the delivery address in the order, and forwarding the echeck and altered order to the merchant

Credit Cards Secure Presentation

Electronic Credit Card Payments Secure Electronic Transaction (SET) Credit Card Transactions Check Sum Algorithm

Secure Electronic Transaction (SET) Protocol for sending financial information over the Internet. Provides secure transmission Allows for party authentication Provides integrity for the payment messages

Credit Card Transactions 1.The consumer supplies the credit card to the merchant. 2.The merchant seeks card authorization from the merchant's bank. 3.The merchant's bank then seeks authorization from the consumer's bank. 4.The consumer's bank responds to the merchant's bank. 5.The merchant's bank notifies the merchant that the transaction has been approved.

Credit Card Transactions (cont.) 1.The merchant finalizes the transaction. 2.The merchant sends a batch of charges to the merchant's bank. 3.The merchant's bank then sends each settlement request to the appropriate consumer bank 4.The consumer bank receives each settlement request and debits the consumer's account. 5.The merchant's bank credits the merchant's account and withdraws the credit amount from the consumer's bank.

Check Sum Algorithm Assumes the credit card number The number is 15 digits long and thus odd and therefore has a numerical weight of one Compute the check digit by: 3, 14, 2, 16, 0, 4, 4, 18, 13, 5, 0, 8, 10, 9 Subtract 9 from every value greater than nine: 3, 5, 2, 7, 0, 4, 4, 9, 0, 3, 5, 8, 0, 1, 9 Add these numbers: 60 The check should equal zero 60 mod 10 = 0

Conclusion Electronic money is a more viable means of making payments. These payment methods offer privacy, convenience, and security There are a wide variety of electronic payment systems available. The consumer must find the system that best suites their needs

Questions ???