Title: Electronic Commerce: Transaction Security (????????)
1Tamkang University
Electronic Commerce Transaction
Security(????????)
??2014/7/03 (?) 14001700????????????R0111???
(???????????318?1?)
Min-Yuh Day ??? Assistant Professor ?????? Dept.
of Information Management, Tamkang
University ???? ?????? http//mail.
tku.edu.tw/myday/ 2014-07-03
2?????????(Consumer Facing Transaction)
Source http//www.systex.com.tw/
3Outline
- 1. ISO 27001 ??????????
- (ISO 27007 Information Security Management
System) - 2. ???????? (Electronic Commerce Security
Framework) - 3. ????
- (Transaction Security)
- 4. ??????
- (Electronic Payment System)
- 5. ??????
- (Mobile Commerce Security)
4ISO 27001????????(Information Security
Management System, ISMS)
- ???????? (Information Security Management System,
ISMS) - ??????????, ???????(??)???, ??????????????????????
????? - ?? ??????????????????????????????????
- Information Security Management System (ISMS)
- that part of the overall management system, based
on a business risk approach, to establish,
implement, operate, monitor, review, maintain and
improve information security - NOTE The management system includes
organizational structure, policies, planning
activities, responsibilities, practices,
procedures, processes and resources.
Source ISO/IEC 270012005, CNS 27001
5???? (information security)
- ???? (information security)
- ???????????????? ??, ??????????????????????????
? CNS 17799 - information security
- preservation of confidentiality, integrity and
availability of information in addition, other
properties such as authenticity, accountability,
non-repudiation and reliability can also be
involved ISO/IEC 177992005
Source ISO/IEC 270012005, CNS 27001
6Information Security (CIA)
- Confidentiality (???)
- Integrity (???)
- Availability (???)
- Authenticity (???)
- Accountability (????)
- Non-repudiation (?????)
- Reliability (???)
Source ISO/IEC 270012005, CNS 27001
7PDCA model applied to ISMS processes
Source ISO/IEC 270012005
8??? ISMS ???PDCA ??
Source CNS 27001
9ISO 27001 Annex A (normative)??A (??)
- 11 ????? (??A.5 - A.15)
- 39 ?????
- 133 ?????
- ISO/IEC 177992005 Clauses 5 to 15 provide
implementation advice and guidance on best
practice in support of the controls specified in
A.5 to A.15. - CNS 17799 ?5 ???15 ????????A.5 ?A.15
??????????????????????
Source ISO/IEC 270012005, CNS 27001
10ISO 27001 ??A.5-A.15
- A.5 ????
- A.6 ???????
- A.7 ????
- A.8 ??????
- A.9 ???????
- A.10 ???????
- A.11 ????
- A.12 ????????????
- A.13 ????????
- A.14 ??????
- A.15 ???
Source ISO 27001, CNS 27001
11ISO 270012005 A.10 ??????? (Communications and
operations management)
- A.10.1 ???????? (Operational procedures and
responsibilities) - A.10.2 ????????? (Third party service delivery
management) - A.10.3 ??????? (System planning and acceptance)
- A.10.4 ????????? (Protection against malicious
and mobile code) - A.10.5 ?? (Back-up)
- A.10.6 ?????? (Network security management)
- A.10.7 ????? (Media handling)
- A.10.8 ???? (Exchange of information)
- A.10.9 ?????? (Electronic commerce services)
- A.10.10 ?? (Monitoring)
Source ISO 27001, CNS 27001
12???????
- A.10 ???????
- A.10.6 ??????
- ?? ????????????????????
- A.10.7 ?????
- ?? ?????????????????????, ??????????
- A.10.8 ????
- ?? ?????????????????????????
- A.10.9 ??????
- ?? ????????????????????
- A.10.10 ??
- ?? ??????????????
Source ISO 27001, CNS 27001
13A.10.9 ???????? ????????????????????
- A.10.9.1 ????
- A.10.9.2 ????
- A.10.9.3 ???????
Source ISO 27001, CNS 27001
14A.10.9.1 ????
- ????
- ?????????????????????, ????????????????????????
Source ISO 27001, CNS 27001
15A.10.9.2 ????
- ????
- ????????????, ??????????????(mis-routing)??????
??????????????????????????
Source ISO 27001, CNS 27001
16A.10.9.3 ???????
- ????
- ???????????????????, ???????????
Source ISO 27001, CNS 27001
17ISO270012005 ? ISO270012013
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
18ISO270012013 14?????
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
19ISO 270012005 ?ISO 270012013 Annex A
(normative)??A (??)
- 11 ????? ? 14
- 39 ????? ? 35
- 133 ????? ? 114
Source ISO/IEC 270012013
20ISO/IEC 270012013???
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
21ISO27001 ISMS?????????????
ISO270012005 ISO270012013
A.10.9.1 Electronic commerce A.14.1.2 Securing applications services on public networks
A.10.9.2 Online-transactions A.14.1.3 Protecting application services transactions
Source http//www.bsigroup.com/Documents/iso-2700
1/resources/BSI-ISO27001-mapping-guide-UK-EN.pdf
22ISO 270012013 6.1.3 Information security risk
treatment(Annex A Control Objectives and
Controls)(??A ?????????)
Source ISO/IEC 270012013
23ISO270012013 A14.1Security requirements of
information systems
- Objective To ensure that information security
is an integral part of information systems across
the entire lifecycle. This also include the
requirements for information systems which
provide services over public networks.
Source ISO/IEC 270012013
24ISO/IEC 270012013
- A.14 System acquisition, development and
maintenance - A14.1Security requirements of information
systems - A14.1.1 Information security requirements
analysis and specification - A14.1.2 Securing application services on public
networks (ISO270012005 A.10.9.1 Electronic
commerce) - A14.1.3 Protecting application services
transactions(ISO270012005 A.10.9.2
Online-transactions)
Source ISO/IEC 270012013
25ISO270012013A14.1.2 Securing application
services on public networks (ISO270012005
A.10.9.1 Electronic commerce)
Source ISO/IEC 270012013
26ISO270012013A14.1.3 Protecting application
services transactions(ISO270012005 A.10.9.2
Online-transactions)
Source ISO/IEC 270012013
27ISO270012013A14.1.2 Securing application
services on public networks (Electronic
commerce)ControlInformation involved in
application services passing over public
networks shall be protected from fraudulent
activity, contract dispute and unauthorized
disclosure and modification.
Source ISO/IEC 270012013
28ISO270012013A14.1.3 Protecting application
services transactions(Online-transactions)
ControlInformation involved in application
service transactions shall be protected to
prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or
replay.
Source ISO/IEC 270012013
29Outline
- 1. ISO 27001 ??????????
- (ISO 27007 Information Security Management
System) - 2. ???????? (Electronic Commerce Security
Framework) - 3. ????
- (Transaction Security)
- 4. ??????
- (Electronic Payment System)
- 5. ??????
- (Mobile Commerce Security)
30Ravi Kalakota Andrew B. Whinston (1997),
Electronic Commerce A Manager's Guide,
Addison-Wesley
Source http//www.amazon.com/Electronic-Commerce-
A-Managers-Guide/dp/0201880679
31Generic Framework for Electronic Commerce
- Electronic Commerce Applications
- Supply chain management
- Video on demand
- Remote banking
- Procurement and purchasing
- Online marketing and advertising
- Home shopping
Public policy legal and privacy issues
Technical standards for documents, security,
and network protocols
Common business services infrastructure(security/
authentication, electronic payment,
directories/catalogs)
Messaging and information distribution
infrastructure(EDI, e-mail, HyperText Transfer
Protocol)
Multimedia content and network publishing
infrastructure (HTML, JAVA, World Wide Web)
Network infrastructure (Telecom, cable TV,
wireless, Internet)
Source Ravi Kalakota Andrew B. Whinston
(1997), Electronic Commerce A Manager's Guide,
Addison-Wesley Professional
32Turban et al. (2010),Introduction to Electronic
Commerce, Third Edition, Pearson
Source http//www.amazon.com/Introduction-Electro
nic-Commerce-Business-Resources/dp/0136109233
33A Framework for Electronic Commerce
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
34A Framework for Electronic Commerce
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
35EC Infrastructure (1)
- Common business services infrastructure
- (security, smart cards/authentication,
electronic payments, directories/catalogs,
hardware, peripherals)
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
36ECSupport Services
- Order Fulfillment
- Logistics
- Payments
- Content
- Security System Development
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
37E-Commerce Security andFraud Protection
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
38E-Commerce Security Framework
E-Commerce Security Strategy
Regulatory (External)
Financial (Internal)
Marketing and Operations (Internal)
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
39E-Commerce Security Framework
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
40Enterprise-wide EC Security and Privacy Model
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
41Outline
- 1. ISO 27001 ??????????
- (ISO 27007 Information Security Management
System) - 2. ???????? (Electronic Commerce Security
Framework) - 3. ????
- (Transaction Security)
- 4. ??????
- (Electronic Payment System)
- 5. ??????
- (Mobile Commerce Security)
42?? (Transaction)?? (Payment)
43???? (Transaction Security)???? (Payment
Security)
44???? (Transaction Security)
- ??????(Non-repudiation Service)
- ???? (Security Seal)
Source ???????? ????????
45?????? (Non-repudiation Service)
Source ???????? ????????
46?????? (Non-repudiation Service)
- ?????????????????????(verify)??????????????,???
??????,?????????????????????
Source ???????? ????????
47?????? (Non-repudiation Service)
- ????????????????(cryptographic check
value)???,????????????????????
Source ???????? ????????
48?????? (Non-repudiation Service)
- ??????????????????????????(accountability)?
Source ???????? ????????
49?????? (Non-repudiation Evidence)
- ?????????????????????????????(evidence
subject)??????????? - ???? (Secure envelope)
- ???????(evidence generating authority)???????????
- ???? (Digital signatures)
- ??????(evidence generator)???????(evidence
generating authority)????????????
Source ???????? ????????
50???????? (Non-repudiation Service Requirements)
- ??????????????????????????????,????????????????
??????,???????????????????????????? - ???????,??????????????????????????????????????????
- ??????????????????????????,????????????????,??????
???????????
Source ???????? ????????
51???????? (Non-repudiation Service Requirements)
- ???????/??????????????(??,????????,????????)?
- ??????????????????
- ?????????,?????????????????????????
- ????????????????,?????????????,???????????????????
???????
Source ???????? ????????
52???????? (Types of Non-repudiation Service)
- ?????? (Non-repudiation of origin NRO)
- ?????? (Non-repudiation of delivery NRD)
- ?????? (Non-repudiation of submission NRS)
- ?????? (Non-repudiation of transport NRT)
Source ???????? ????????
53UsernameToken over HTTPS
Source http//docs.wso2.com/display/DSS263/Graphi
calViewoftheDefaultSecurityScenarios
54Non-Repudiation
Source http//docs.wso2.com/display/DSS263/Graphi
calViewoftheDefaultSecurityScenarios
55???? (Security Seal)
56????????
?????????? ?????????? ?????????? ?????????? ??????????
???? Hacker Safe HackAlert Worry Free Security Web Alert
????
???? McAfee ???? ???? ????
???? ?????? ??????????? ??????????????? ???????????????
???
???
Source ???????? ????????
57???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? ?????????? GlobalTrust ?????? ???????? ???????????
????
???? VeriSign/ HiTRUST ???? ???? ???????????? ????????????
???? SSL?????? SSL?????? ?????????????? ???????????????
???
???
Source ???????? ????????
58???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? ??????? ????????? ????????? ???? ????
????
???? ?????????? ?????????? ????????????? ?????????????
???? ???????????? ???????????? ???????????? ????????????
Source ???????? ????????
59???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? TWCA ?????????? ???????? Geotrust ISO/IEC 27001
????
???? ???????? ???????? WIS??SSL?????? BSI
???? SSL?????? SSL?????? SSL?????? ??????
Source ???????? ????????
60Which Site Seal do People Trust the Most? (2013
Survey Results)
Source http//baymard.com/blog/site-seal-trust
61Outline
- 1. ISO 27001 ??????????
- (ISO 27007 Information Security Management
System) - 2. ???????? (Electronic Commerce Security
Framework) - 3. ????
- (Transaction Security)
- 4. ??????
- (Electronic Payment System)
- 5. ??????
- (Mobile Commerce Security)
62????
- ?????????????,?????????,??????????????
- ????
- ????
- ????
- ?????
- ???????
- ?????
- ?????
Source ???????? ????????
63????????
- ???
- ?????????????????????????
- ???
- ????????????????????????????
- ???
- ??????????????
- ???
- ????????????
Source ???????? ????????
64????????-???
- ????????????????
- ???(Authenticity)
- ??????????,???????
- ???(Confidentiality)
- ??????(???)??????
- ???(Integrity)
- ????????????????
- ?????(Non-repudiation)
- ????????, ????????,????
Source ???????? ????????
65????????-???(?)
- ?????
- ??????????IC?,?????
- ?????
- ??????????????????????
- ???(Scalability)
- ??????????????
- ??
- ??????????????
- ??
- ?????????,?????????
Source ???????? ????????
66????????-???
- ????(Cost of transaction)
- ????????????,????????
- ?????(Atomic exchange)
- ?????,???????????????
- ?????(User reach)
- ????????????(?????)
- ??????(Value mobility)
- ????????????????,?????
- ????(Financial risk)
- ????????????????????
Source ???????? ????????
67????????-???
- ???(Anonymity)
- ????,?????????????????
- ?????(User friendliness)
- ????????,????????
- ????(Mobility)
- ?????????????
Source ???????? ????????
68???????
Source ???????? ????????
69???????
- ?????(???)?????,???????(???)
- ??????(??)
- ?????????????????????
- ????????????,??????????,?????????????
- ????
- ?????????????????
- ????????????????
Source ???????? ????????
70?????
Source ???????? ????????
71?????
- ????????,??????????????,???????
- ????
- ???????????????????
- ??????????(???????????)????????
Source ???????? ????????
72???????
- ????????
- ????
- ??
- ??
- ???????
- ????????
- ????
- ????
- ????????
- ??????
Source ???????? ????????
73????????
???(??)
????(??)
(1) ?????????
(4) ????(??)
(2) ???????? ????
(8) ??
(5) ????
(7) ????
(6) ??
(3) ???????
????? ???????
????
Source ???????? ????????
74?????????
- ?????,???????????????
- ????
- ??????,??????
- ?????,?SSL??
- ????????????????
- ????????,?SET??
- ?????????,?????,????
Source ???????? ????????
75SSL??
- SSL??Secure Sockets Layer Protocol
- ??(Netscape)???1994???
- ?????????????????,???????????????????
- ?????(40?128??),??????????????
- ?????????????(?RSA)???????????
Source ???????? ????????
76?????????-SSL
Source ???????? ????????
77????
- ??
- ????,????
- ????,?????????
- ?????????,??????????
- ??
- ????????????????
- ????????
Source ???????? ????????
78????????SET
Source ???????? ????????
79SET ????
- SETSecure Electronic Transaction????????
- Visa?MasterCard????????????????????,?????????,????
???????,?IBM?HP?Microsoft??????? - 1996???,1998????????
- ?????????????????????
Source ???????? ????????
80SET ????
- ???(Cardholder)
- ???SET???????(Electronic Wallet)??????????????????
? - ????(Merchant Server)
- ????(Issuer)
- ????(Acquirer)
- ????(Payment Gateway)
- ?????????
- ??????(Certificate Authority)
- ???????,??????,??????
Source ???????? ????????
81SET ?????
Source ???????? ????????
82SET ???????
- ?????????????
- ????
- ??????????????????
- ????
- ???????(??????)??????
- ?????????
- ??????????????????
- ??????????
Source ???????? ????????
83SET ??????
- ?????(Registration)
- ????CA??,??????????SET??????????????
- ??????
- ?CA???????????
Source ???????? ????????
84SET ??????(?)
- ????(Purchase Request)??
- ???????????(???????)
- ????????????,???????????????
- ???????????(OI)?????(PI),??PI?????????,???????????
- ??????OI???,????????,?????????
Source ???????? ????????
85SET ??????(?)
- ????(Payment Authority)??
- ????????????PI?????,?????(Digital
Envelop)??????,????????,?????? - ????????PI?????????????,????????????
- ???????,??????????,???????(Capture Token)??????
Source ???????? ????????
86SET ??????(?)
- ????(Payment Capture)??
- ??????????????,??????
- ????????????,???(??)?????????
- ?????,????????????,??????
Source ???????? ????????
87SET ????
- ??
- ????,????????????
- ???????????????,?????????????
- ???????,????????
- ??
- ????????????(PKI)?,????
- ?????????,????,????
- ??????????????,????
Source ???????? ????????
88SET ??????
- ??????????????????,?????????????????
- ????
- VisaVbV (Verified by Visa)
- MasterCardSecureCode
- JCBJ/Secure
- ????
- ????????????????
- ??????????,?????????
Source ???????? ????????
89???????
Source ???????? ????????
90???
- ???Smart Card,??IC?????
- ?????????????,??????????
- ????????
- ????
- ??????,????????
- ????,?????iCash
Source ???????? ????????
91??????
- ???????,????????(????????),??????,??
- ??????
- ?????????????????
- ????????(ATM)??????????(???)?????
- ???????????????????????,????????????(Loyalty)?????
Source ???????? ????????
92???(????)
- ???????????,???????,?????
- ?????????(?)??,???????????
- ?????,?????????????,????????
- ????
- ??????,?????????????
- ????????,??????????
Source ???????? ????????
93??????
- ??????
- ???(Stored Value)???(Pre-paid)
- ????????????,??????????????????????
- ??
- ???(????)
- ????????????
- ???????,??????????
Source ???????? ????????
94???????
- ????Electronic Purse
- ???????????????????,?????????
- ????????????,???????
- ??
- ????,??????
- ?????,???????
- ??????????
- ???????
- ?????????????
Source ???????? ????????
95Outline
- 1. ISO 27001 ??????????
- (ISO 27007 Information Security Management
System) - 2. ???????? (Electronic Commerce Security
Framework) - 3. ????
- (Transaction Security)
- 4. ??????
- (Electronic Payment System)
- 5. ??????
- (Mobile Commerce Security)
96Mobile Commerce(m-commerce or m-business)
- Any business activity conducted over a wireless
telecommunications network or from mobile
devices.
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
97Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
98Attributes of M-Commerce
- Ubiquity
- Convenience
- Interactivity
- Personalization
- Localization
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
99Mobile Computing(wireless mobile computing)
- Computing that connects a mobile device to a
network or another computing device, anytime,
anywhere.
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
100Mobile Financial Applications
- Mobile Banking
- Mobile Payments
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
101Mobile Marketing Campaigns
- Information (??)
- Entertainment (??)
- Raffles (??)
- Coupons (???)
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
102Mobile Marketing and Advertising
- Building brand awareness
- Changing brand image
- Promoting sales
- Enhancing brand loyalty
- Building customer databases
- Stimulating mobile word of mouth
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
103A day with NFC technology
104A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
105A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
106A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
107A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
108A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
109A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
110Mobile Security Threats
- Toll Fraud (????)
- Ransomware (????)
- Mobile Payments via NFC (NFC ????)
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
111Toll Fraud
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
112Toll Fraud
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
113Ransomware
Source http//en.wikipedia.org/wiki/Ransomware
114Ransomware
Source http//www.pcworld.com/article/2032767/ran
somware-boosts-credibility-by-reading-victims-brow
sers.html
115Mobile Payments via NFC
- steal your money via the classic "bump and
infect" method, this means that NFC is actually
acting as enabler for theft.
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
116Mobile Payments Security
Source http//www.mobilecommercepress.com/merchan
ts-becoming-conscious-mobile-payments-security/851
1441/
117Mobile Security Worm Threat Targets Android
Devices
Source http//www.mobilecommercepress.com/mobile-
security-worm-threat-targets-android-devices/85128
23/
118NFC
Source http//www.elatec-cards.com/products/telec
om/nfc/nfc-sim-cards/
119Mobile Commerce Security
4
Requests and processes payment authorization from
PSP
Payment service provider (PSP)
Secured mobile
Internet network
Firewall
Merchant server
1
2
3
Validates unique inbound mobile transaction
fingerprint
Transmits encrypted transaction from mobile to
server
Generate a unique fingerprint for every
transaction
Bank
Source http//ecommercesecurity.co.uk/
120References
- Turban et al. (2010), Introduction to Electronic
Commerce, Third Edition, Pearson - ???????? ????????
121Tamkang University
Q A
Electronic Commerce Transaction
Security(????????)
??2014/7/03 (?) 14001700????????????R0111???
(???????????318?1?)
Min-Yuh Day ??? Assistant Professor ?????? Dept.
of Information Management, Tamkang
University ???? ?????? http//mail.
tku.edu.tw/myday/ 2014-07-03