CIS 451: E-Commerce Security

1
CIS 451 E-Commerce Security Payment Systems

• Ralph Westfall
• July, 2009

2
Reasons for Not Buying Online

• 31 privacy/security (students 28)
• 28 less customer service (22)
• 9 not interactive enough (15)
• 8 high prices (11)
• 4 can't feel product (4)
• Source Ahuja, Gupta, Raman (2003)
• see table at end of report

3
Need for Security

• Internet is inherently insecure
• crimes can be committed remotely
• very little evidence for prosecutors to use
• programs automate hacking
• from Ghosh, 1998

4
Identity Theft

• 9.9 million identity fraud victims in 2008
• usually not directly related to E-Commerce
• email requests for information ("phishing")
  rather than web site security failures
• women were 26 percent more likely to be victims
  of identity fraud than men

5
Key Security Issues (PAIN)

• privacy - messages not read in transit
• authentication - be sure of identity of seller
• possibly buyer also
• integrity - messages not changed in transit
• nonrepudiation - neither buyer or seller can deny
  they received message

6
PAIN Security Issue Examples

• Privacy (not intercepted)
• message from A to B doesn't go to C also
• Authentication (not "spoofed")
• message from C doesn't look like it's from A
• Integrity (not modified in transit)
• A's message not modified by C before B sees it
• Nonrepudiation (can't be denied)
• B can't say message from A not received, and A
  can't say response from B not received

7
Public Key Cryptography

• public key given to anybody
• e.g. on e-mail signature
• can find whole public keys at keyserver.net (was
  down today)
• public key created from private key
• private key is kept secret
• a shorter public "fingerprint" can be created
• software uses a public key to encode data
• must have private key to decode message

8
Pretty Good Privacy (PGP)

• uses public key cryptography
• free 30-day trial version
• GnuPG is a freeware replacement
• don't lose your keys!
• government filed lawsuit against author
• corporate products for business security
• e-mail, file transfer, etc.
• electronic commerce

9
Digital Certificate

• key element in most security schemes
• adds an attachment to an electronic message that
  verifies the identity of sender
• provides key to receiver to encode reply
• issued by a "certificate authority" (CA)
• confirms identity of person/organization

10
Certificate Authority

• trusted 3rd party (not buyer or seller)
• usually a bank, credit card company, etc.
• issues digital certificates
• creates digital signatures and public/private key
  pairs
• guarantees identity of certificate holder

11
Some Certificate Authorities

• Verisign
• Thawte (21 day free trial)
• InstantSSL (free certificate, but have to
  subscribe to a Root Authority later)
• guide to use

12
S/MIME

• secure extension to MIME specification
• Multipurpose Internet Mail Extensions is the
  standard that makes possible to include images,
  HTML formatting etc. in email
• built into many email readers
• Outlook, Outlook Express, Apple Mail, etc.
• MIME security problems in past

13
OpenPGP

• nonproprietary protocol for encrypting email and
  messages
• can be used by any company without paying
  licensing fees
• bought back from Network Associates in 2002
• offers an alternative to S/MIME
• some vendors are implementing both in their
  software

14
Image Recognition Tests

• CAPTCHA - completely automated public Turing test
  to tell computers and humans apart
• designed to foil software programs (bots) that
  get data from web sites
• very difficult for software to identify
  characters but not so hard for humans
• email unsubscribe example

15
Security Protocols and Systems

• SSL - secure sockets layer
• SET - secure electronic transactions
• Cybercash

16
SSL - Secure Sockets Layer

• from Netscape, built into their browsers
• uses public key cryptography
• 40 or 128 bit keys (every extra bit doubles the
  security e.g., 10 bits more x 1000)
• authenticates that data comes from URL address
  requested by user
• not from another site pretending to be that site
• ensures that data isnt changed in transit

17
Secure Sockets Layer - 2

• need to enable and configure SSL on server
• Netscape server
• or using Netscapes SSLRef program library
• an ISP can handle this for you
• need to identify specific pages requiring SSL
  access
• web address starts with https (S is for secure
  see Blackboard login, etc.)
• web page author implements this

18
Secure Sockets Layer - 3

• need to get a certificate
• certificate proves identity of your company
• Verisign charges 399 for retail sites (40 bits,
  1 year, 100,000 loss coverage)
• search for organizations with certificates
• certificates not popular with consumers
• use passwords instead on your site to verify
  customers identities

19
Secure Sockets Layer - 4

• advantages
• established in marketplace
• relatively inexpensive
• doesn't require anything special from user
• disadvantage
• extra processing slows down server

20
Microsoft's Windows Live ID

• formerly called Passport Network
• electronic "wallet" for card number, name,
  address and other information
• automates purchase
• user doesn't have to type in much information
• free to consumers

21
.NET Passport

• supposedly has a lot of users
• have to sign up to use new MS software
• eBay stopped accepting it at end of 2004
• do you know anybody actually using it?
• security problem in 2003
• Microsoft also used to offer a Kids Passport for
  parental control of release of information

22
Liberty Alliance

• an alternative to Microsoft's propriety approach
  to Passport
• participating organizations can maintain their
  own data rather than letting Microsoft hold it
• is an "open standards" approach
• currently emphasizing preventing identity theft

23
Cybercash

• concept was to make it possible to get a little
  bit of money from a lot of customers
• 1 x 1 million customers 10,000
• up to this point, can't cost effectively process
  lots of very small transactions
• PayPal doesn't handle really small transactions,
  but is strong in this niche

24
PayPal

• lets users pay by email
• strong relationship with E-Bay (online auctions),
  then bought by E-Bay
• handles eighteen currencies worldwide
• 50 million accounts
• free personal use, but businesses receiving
  payments are charged a fee
• fixed 30 cents and 1.9-2.9 of amount

25
PayPal Vulnerabilities?

• use by organized crime led to fines and being
  prohibited for a while in some states
• at one time could be hacked so that that buyers
  could reduce item prices or get software for free
• one vendor is selling a proposed solution to the
  above vulnerabilities

26
Mobile Payments

• buy things via a mobile device, using cell phone
  number as password
• usually involve "virtual goods"music, games,
  etc.
• very cheap when sold in large volumes
• typically sell for around 2 or less
• phone carrier may get up to half of cost
• Investors Bet on Payments via Cellphone

27
Common E-Commerce Security Vulnerabilities

• SQL injection attack includes SQL syntax
  characters (e.g., single quote) or keywords in
  user inputs
• error messages may reveal ways to access
  restricted pages
• Guess.com and Petco.com sites were found to be
  vulnerable to such attacks

28
Security Vulnerabilities - 2

• total cost of order can be reduced
• payment confirmation page holds total cost in an
  HTML hidden field
• a "web application proxy" can change the data
  sent back to the server, so that when user
  confirms transaction, the amount is less than
  actual cost (free web application proxy security
  tool)

29
Security Vulnerabilities - 3

• buffer overflows (e.g., caused by pasting a lot
  of text 6000 bytes into a text box) may print
  error messages that reveal path to specific code
  functions that can be used to hack into sites

30
Security Vulnerabilities - 4

• cross-site scripting
• inserts script (e.g., JavaScript) into text that
  is sent back to a new web page
• for example, a search engine sends the keywords
  back with the results page
• script could be used to get information from a
  cookie on user's machine
• or user might be redirected to a "phishing" web
  site and asked for password

31
Exercise

• test some online forms
• eCommerce, mortgage refinancing, etc.
• include "special characters" in inputs
• ' (single quote), " (double), lt (HTML), lt
  (ASP), lt? (XML), \ (escape), , ? or (wild card
  characters), (concatenation), _at_ (email or
  compiler directive), others?
• report back on what happened

32
References

• Ahuja, A., Gupta, B., and Raman, P., "An
  Empirical Investigation of Online Consumer
  Purchasing Behavior," Communications of the ACM,
  December, 2003, pp. 145-151.
• Dembeck, C., "Online Credit Card Security Fears
  Waning, But Still a Factor," E-Commerce Times,
  March 8, 2000 .
• Ghosh, A. K, "Security in Internet Electronic
  Commerce," invited presentation to Defending
  Cyberspace '98, September 24, 1998, Washington,
  D.C.
• Internet Marketing Center, "Enabling
  Technologies Encryption Overview," Internet
  Marketing Center
• Mookey, K. H., "Common Security Vulnerabilities
  in e-commerce Systems," Security Focus, April 26,
  2004.