Electronic Commerce: Transaction Security (????????)

About This Presentation

Title:

Electronic Commerce: Transaction Security (????????)

Description:

Title: Electronic Commerce: Transaction Security ( ) Subject: Electronic Commerce: Transaction Security ( ) – PowerPoint PPT presentation

Number of Views:489

Avg rating:3.0/5.0

Slides: 122

Provided by: myday

Category:

more less

Transcript and Presenter's Notes

Title: Electronic Commerce: Transaction Security (????????)

1
Tamkang University
Electronic Commerce Transaction
Security(????????)
??2014/7/03 (?) 14001700????????????R0111???
(???????????318?1?)
Min-Yuh Day ??? Assistant Professor ?????? Dept.
of Information Management, Tamkang
University ???? ?????? http//mail.
tku.edu.tw/myday/ 2014-07-03
2
?????????(Consumer Facing Transaction)
Source http//www.systex.com.tw/
3
Outline

1. ISO 27001 ??????????
(ISO 27007 Information Security Management
System)
2. ???????? (Electronic Commerce Security
Framework)
3. ????
(Transaction Security)
4. ??????
(Electronic Payment System)
5. ??????
(Mobile Commerce Security)

4
ISO 27001????????(Information Security
Management System, ISMS)

???????? (Information Security Management System,
ISMS)
??????????, ???????(??)???, ??????????????????????
?????
?? ??????????????????????????????????
Information Security Management System (ISMS)
that part of the overall management system, based
on a business risk approach, to establish,
implement, operate, monitor, review, maintain and
improve information security
NOTE The management system includes
organizational structure, policies, planning
activities, responsibilities, practices,
procedures, processes and resources.

Source ISO/IEC 270012005, CNS 27001
5
???? (information security)

???? (information security)
???????????????? ??, ??????????????????????????
? CNS 17799
information security
preservation of confidentiality, integrity and
availability of information in addition, other
properties such as authenticity, accountability,
non-repudiation and reliability can also be
involved ISO/IEC 177992005

Source ISO/IEC 270012005, CNS 27001
6
Information Security (CIA)

Confidentiality (???)
Integrity (???)
Availability (???)
Authenticity (???)
Accountability (????)
Non-repudiation (?????)
Reliability (???)

Source ISO/IEC 270012005, CNS 27001
7
PDCA model applied to ISMS processes
Source ISO/IEC 270012005
8
??? ISMS ???PDCA ??
Source CNS 27001
9
ISO 27001 Annex A (normative)??A (??)

11 ????? (??A.5 - A.15)
39 ?????
133 ?????
ISO/IEC 177992005 Clauses 5 to 15 provide
implementation advice and guidance on best
practice in support of the controls specified in
A.5 to A.15.
CNS 17799 ?5 ???15 ????????A.5 ?A.15
??????????????????????

Source ISO/IEC 270012005, CNS 27001
10
ISO 27001 ??A.5-A.15

A.5 ????
A.6 ???????
A.7 ????
A.8 ??????
A.9 ???????
A.10 ???????
A.11 ????
A.12 ????????????
A.13 ????????
A.14 ??????
A.15 ???

Source ISO 27001, CNS 27001
11
ISO 270012005 A.10 ??????? (Communications and
operations management)

A.10.1 ???????? (Operational procedures and
responsibilities)
A.10.2 ????????? (Third party service delivery
management)
A.10.3 ??????? (System planning and acceptance)
A.10.4 ????????? (Protection against malicious
and mobile code)
A.10.5 ?? (Back-up)
A.10.6 ?????? (Network security management)
A.10.7 ????? (Media handling)
A.10.8 ???? (Exchange of information)
A.10.9 ?????? (Electronic commerce services)
A.10.10 ?? (Monitoring)

Source ISO 27001, CNS 27001
12
???????

A.10 ???????
A.10.6 ??????
?? ????????????????????
A.10.7 ?????
?? ?????????????????????, ??????????
A.10.8 ????
?? ?????????????????????????
A.10.9 ??????
?? ????????????????????
A.10.10 ??
?? ??????????????

Source ISO 27001, CNS 27001
13
A.10.9 ???????? ????????????????????

A.10.9.1 ????
A.10.9.2 ????
A.10.9.3 ???????

Source ISO 27001, CNS 27001
14
A.10.9.1 ????

????
?????????????????????, ????????????????????????

Source ISO 27001, CNS 27001
15
A.10.9.2 ????

????
????????????, ??????????????(mis-routing)??????
??????????????????????????

Source ISO 27001, CNS 27001
16
A.10.9.3 ???????

????
???????????????????, ???????????

Source ISO 27001, CNS 27001
17
ISO270012005 ? ISO270012013
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
18
ISO270012013 14?????
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
19
ISO 270012005 ?ISO 270012013 Annex A
(normative)??A (??)

11 ????? ? 14
39 ????? ? 35
133 ????? ? 114

Source ISO/IEC 270012013
20
ISO/IEC 270012013???
Source http//www.fineart-tech.com/index.php/ch/h
ome-2/90-fineart-express/coverstory/394-coverstory
-2014-q2-1
21
ISO27001 ISMS?????????????
ISO270012005 ISO270012013
A.10.9.1 Electronic commerce A.14.1.2 Securing applications services on public networks
A.10.9.2 Online-transactions A.14.1.3 Protecting application services transactions
Source http//www.bsigroup.com/Documents/iso-2700
1/resources/BSI-ISO27001-mapping-guide-UK-EN.pdf
22
ISO 270012013 6.1.3 Information security risk
treatment(Annex A Control Objectives and
Controls)(??A ?????????)
Source ISO/IEC 270012013
23
ISO270012013 A14.1Security requirements of
information systems

Objective To ensure that information security
is an integral part of information systems across
the entire lifecycle. This also include the
requirements for information systems which
provide services over public networks.

Source ISO/IEC 270012013
24
ISO/IEC 270012013

A.14 System acquisition, development and
maintenance
A14.1Security requirements of information
systems
A14.1.1 Information security requirements
analysis and specification
A14.1.2 Securing application services on public
networks (ISO270012005 A.10.9.1 Electronic
commerce)
A14.1.3 Protecting application services
transactions(ISO270012005 A.10.9.2
Online-transactions)

Source ISO/IEC 270012013
25
ISO270012013A14.1.2 Securing application
services on public networks (ISO270012005
A.10.9.1 Electronic commerce)
Source ISO/IEC 270012013
26
ISO270012013A14.1.3 Protecting application
services transactions(ISO270012005 A.10.9.2
Online-transactions)
Source ISO/IEC 270012013
27
ISO270012013A14.1.2 Securing application
services on public networks (Electronic
commerce)ControlInformation involved in
application services passing over public
networks shall be protected from fraudulent
activity, contract dispute and unauthorized
disclosure and modification.
Source ISO/IEC 270012013
28
ISO270012013A14.1.3 Protecting application
services transactions(Online-transactions)
ControlInformation involved in application
service transactions shall be protected to
prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or
replay.
Source ISO/IEC 270012013
29
Outline

1. ISO 27001 ??????????
(ISO 27007 Information Security Management
System)
2. ???????? (Electronic Commerce Security
Framework)
3. ????
(Transaction Security)
4. ??????
(Electronic Payment System)
5. ??????
(Mobile Commerce Security)

30
Ravi Kalakota Andrew B. Whinston (1997),
Electronic Commerce A Manager's Guide,
Addison-Wesley
Source http//www.amazon.com/Electronic-Commerce-
A-Managers-Guide/dp/0201880679
31
Generic Framework for Electronic Commerce

Electronic Commerce Applications
Supply chain management
Video on demand
Remote banking
Procurement and purchasing
Online marketing and advertising
Home shopping

Public policy legal and privacy issues
Technical standards for documents, security,
and network protocols
Common business services infrastructure(security/
authentication, electronic payment,
directories/catalogs)
Messaging and information distribution
infrastructure(EDI, e-mail, HyperText Transfer
Protocol)
Multimedia content and network publishing
infrastructure (HTML, JAVA, World Wide Web)
Network infrastructure (Telecom, cable TV,
wireless, Internet)
Source Ravi Kalakota Andrew B. Whinston
(1997), Electronic Commerce A Manager's Guide,
Addison-Wesley Professional
32
Turban et al. (2010),Introduction to Electronic
Commerce, Third Edition, Pearson
Source http//www.amazon.com/Introduction-Electro
nic-Commerce-Business-Resources/dp/0136109233
33
A Framework for Electronic Commerce
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
34
A Framework for Electronic Commerce
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
35
EC Infrastructure (1)

Common business services infrastructure
(security, smart cards/authentication,
electronic payments, directories/catalogs,
hardware, peripherals)

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
36
ECSupport Services

Order Fulfillment
Logistics
Payments
Content
Security System Development

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
37
E-Commerce Security andFraud Protection
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
38
E-Commerce Security Framework
E-Commerce Security Strategy
Regulatory (External)
Financial (Internal)
Marketing and Operations (Internal)
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
39
E-Commerce Security Framework
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
40
Enterprise-wide EC Security and Privacy Model
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
41
Outline

1. ISO 27001 ??????????
(ISO 27007 Information Security Management
System)
2. ???????? (Electronic Commerce Security
Framework)
3. ????
(Transaction Security)
4. ??????
(Electronic Payment System)
5. ??????
(Mobile Commerce Security)

42
?? (Transaction)?? (Payment)
43
???? (Transaction Security)???? (Payment
Security)
44
???? (Transaction Security)

??????(Non-repudiation Service)
???? (Security Seal)

Source ???????? ????????
45
?????? (Non-repudiation Service)

????????,????????????

Source ???????? ????????
46
?????? (Non-repudiation Service)

?????????????????????(verify)??????????????,???
??????,?????????????????????

Source ???????? ????????
47
?????? (Non-repudiation Service)

????????????????(cryptographic check
value)???,????????????????????

Source ???????? ????????
48
?????? (Non-repudiation Service)

??????????????????????????(accountability)?

Source ???????? ????????
49
?????? (Non-repudiation Evidence)

?????????????????????????????(evidence
subject)???????????
???? (Secure envelope)
???????(evidence generating authority)???????????
???? (Digital signatures)
??????(evidence generator)???????(evidence
generating authority)????????????

Source ???????? ????????
50
???????? (Non-repudiation Service Requirements)

??????????????????????????????,????????????????
??????,????????????????????????????
???????,??????????????????????????????????????????
??????????????????????????,????????????????,??????
???????????

Source ???????? ????????
51
???????? (Non-repudiation Service Requirements)

???????/??????????????(??,????????,????????)?
??????????????????
?????????,?????????????????????????
????????????????,?????????????,???????????????????
???????

Source ???????? ????????
52
???????? (Types of Non-repudiation Service)

?????? (Non-repudiation of origin NRO)
?????? (Non-repudiation of delivery NRD)
?????? (Non-repudiation of submission NRS)
?????? (Non-repudiation of transport NRT)

Source ???????? ????????
53
UsernameToken over HTTPS
Source http//docs.wso2.com/display/DSS263/Graphi
calViewoftheDefaultSecurityScenarios
54
Non-Repudiation
Source http//docs.wso2.com/display/DSS263/Graphi
calViewoftheDefaultSecurityScenarios
55
???? (Security Seal)

????????
????

56
????????
?????????? ?????????? ?????????? ?????????? ??????????
???? Hacker Safe HackAlert Worry Free Security Web Alert
????
???? McAfee ???? ???? ????
???? ?????? ??????????? ??????????????? ???????????????
???
???
Source ???????? ????????
57
???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? ?????????? GlobalTrust ?????? ???????? ???????????
????
???? VeriSign/ HiTRUST ???? ???? ???????????? ????????????
???? SSL?????? SSL?????? ?????????????? ???????????????
???
???
Source ???????? ????????
58
???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? ??????? ????????? ????????? ???? ????
????
???? ?????????? ?????????? ????????????? ?????????????
???? ???????????? ???????????? ???????????? ????????????
Source ???????? ????????
59
???? (Trust Seal)
?????? ?????? ?????? ?????? ??????
???? TWCA ?????????? ???????? Geotrust ISO/IEC 27001
????
???? ???????? ???????? WIS??SSL?????? BSI
???? SSL?????? SSL?????? SSL?????? ??????
Source ???????? ????????
60
Which Site Seal do People Trust the Most? (2013
Survey Results)
Source http//baymard.com/blog/site-seal-trust
61
Outline

1. ISO 27001 ??????????
(ISO 27007 Information Security Management
System)
2. ???????? (Electronic Commerce Security
Framework)
3. ????
(Transaction Security)
4. ??????
(Electronic Payment System)
5. ??????
(Mobile Commerce Security)

62
????

?????????????,?????????,??????????????
????
????
????
?????
???????
?????
?????

Source ???????? ????????
63
????????

???
?????????????????????????
???
????????????????????????????
???
??????????????
???
????????????

Source ???????? ????????
64
????????-???

????????????????
???(Authenticity)
??????????,???????
???(Confidentiality)
??????(???)??????
???(Integrity)
????????????????
?????(Non-repudiation)
????????, ????????,????

Source ???????? ????????
65
????????-???(?)

?????
??????????IC?,?????
?????
??????????????????????
???(Scalability)
??????????????
??
??????????????
??
?????????,?????????

Source ???????? ????????
66
????????-???

????(Cost of transaction)
????????????,????????
?????(Atomic exchange)
?????,???????????????
?????(User reach)
????????????(?????)
??????(Value mobility)
????????????????,?????
????(Financial risk)
????????????????????

Source ???????? ????????
67
????????-???

???(Anonymity)
????,?????????????????
?????(User friendliness)
????????,????????
????(Mobility)
?????????????

Source ???????? ????????
68
???????
Source ???????? ????????
69
???????

?????(???)?????,???????(???)
??????(??)
?????????????????????
????????????,??????????,?????????????
????
?????????????????
????????????????

Source ???????? ????????
70
?????
Source ???????? ????????
71
?????

????????,??????????????,???????
????
???????????????????
??????????(???????????)????????

Source ???????? ????????
72
???????

????????
????
??
??
???????
????????
????
????
????????
??????

Source ???????? ????????
73
????????
???(??)
????(??)
(1) ?????????
(4) ????(??)
(2) ???????? ????
(8) ??
(5) ????
(7) ????
(6) ??
(3) ???????
????? ???????
????
Source ???????? ????????
74
?????????

?????,???????????????
????
??????,??????
?????,?SSL??
????????????????
????????,?SET??
?????????,?????,????

Source ???????? ????????
75
SSL??

SSL??Secure Sockets Layer Protocol
??(Netscape)???1994???
?????????????????,???????????????????
?????(40?128??),??????????????
?????????????(?RSA)???????????

Source ???????? ????????
76
?????????-SSL
Source ???????? ????????
77
????

??
????,????
????,?????????
?????????,??????????
??
????????????????
????????

Source ???????? ????????
78
????????SET
Source ???????? ????????
79
SET ????

SETSecure Electronic Transaction????????
Visa?MasterCard????????????????????,?????????,????
???????,?IBM?HP?Microsoft???????
1996???,1998????????
?????????????????????

Source ???????? ????????
80
SET ????

???(Cardholder)
???SET???????(Electronic Wallet)??????????????????
?
????(Merchant Server)
????(Issuer)
????(Acquirer)
????(Payment Gateway)
?????????
??????(Certificate Authority)
???????,??????,??????

Source ???????? ????????
81
SET ?????
Source ???????? ????????
82
SET ???????

?????????????
????
??????????????????
????
???????(??????)??????
?????????
??????????????????
??????????

Source ???????? ????????
83
SET ??????

?????(Registration)
????CA??,??????????SET??????????????
??????
?CA???????????

Source ???????? ????????
84
SET ??????(?)

????(Purchase Request)??
???????????(???????)
????????????,???????????????
???????????(OI)?????(PI),??PI?????????,???????????
??????OI???,????????,?????????

Source ???????? ????????
85
SET ??????(?)

????(Payment Authority)??
????????????PI?????,?????(Digital
Envelop)??????,????????,??????
????????PI?????????????,????????????
???????,??????????,???????(Capture Token)??????

Source ???????? ????????
86
SET ??????(?)

????(Payment Capture)??
??????????????,??????
????????????,???(??)?????????
?????,????????????,??????

Source ???????? ????????
87
SET ????

??
????,????????????
???????????????,?????????????
???????,????????
??
????????????(PKI)?,????
?????????,????,????
??????????????,????

Source ???????? ????????
88
SET ??????

??????????????????,?????????????????
????
VisaVbV (Verified by Visa)
MasterCardSecureCode
JCBJ/Secure
????
????????????????
??????????,?????????

Source ???????? ????????
89
???????
Source ???????? ????????
90
???

???Smart Card,??IC?????
?????????????,??????????
????????
????
??????,????????
????,?????iCash

Source ???????? ????????
91
??????

???????,????????(????????),??????,??
??????
?????????????????
????????(ATM)??????????(???)?????
???????????????????????,????????????(Loyalty)?????

Source ???????? ????????
92
???(????)

???????????,???????,?????
?????????(?)??,???????????
?????,?????????????,????????
????
??????,?????????????
????????,??????????

Source ???????? ????????
93
??????

??????
???(Stored Value)???(Pre-paid)
????????????,??????????????????????
??
???(????)
????????????
???????,??????????

Source ???????? ????????
94
???????

????Electronic Purse
???????????????????,?????????
????????????,???????
??
????,??????
?????,???????
??????????
???????
?????????????

Source ???????? ????????
95
Outline

1. ISO 27001 ??????????
(ISO 27007 Information Security Management
System)
2. ???????? (Electronic Commerce Security
Framework)
3. ????
(Transaction Security)
4. ??????
(Electronic Payment System)
5. ??????
(Mobile Commerce Security)

96
Mobile Commerce(m-commerce or m-business)

Any business activity conducted over a wireless
telecommunications network or from mobile
devices.

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
97
Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
98
Attributes of M-Commerce

Ubiquity
Convenience
Interactivity
Personalization
Localization

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
99
Mobile Computing(wireless mobile computing)

Computing that connects a mobile device to a
network or another computing device, anytime,
anywhere.

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
100
Mobile Financial Applications

Mobile Banking
Mobile Payments

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
101
Mobile Marketing Campaigns

Information (??)
Entertainment (??)
Raffles (??)
Coupons (???)

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
102
Mobile Marketing and Advertising

Building brand awareness
Changing brand image
Promoting sales
Enhancing brand loyalty
Building customer databases
Stimulating mobile word of mouth

Source Turban et al. (2010),Introduction to
Electronic Commerce, Third Edition, Pearson
103
A day with NFC technology
104
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
105
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
106
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
107
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
108
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
109
A day with NFC technology
Source https//www.youtube.com/watch?v_64mAcOn44
4
110
Mobile Security Threats

Toll Fraud (????)
Ransomware (????)
Mobile Payments via NFC (NFC ????)

Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
111
Toll Fraud
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
112
Toll Fraud
Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
113
Ransomware
Source http//en.wikipedia.org/wiki/Ransomware
114
Ransomware
Source http//www.pcworld.com/article/2032767/ran
somware-boosts-credibility-by-reading-victims-brow
sers.html
115
Mobile Payments via NFC

steal your money via the classic "bump and
infect" method, this means that NFC is actually
acting as enabler for theft.

Source http//mcommerce-explorer.blogspot.tw/2013
/03/top-5-mobile-security-threats-2013.html
116
Mobile Payments Security
Source http//www.mobilecommercepress.com/merchan
ts-becoming-conscious-mobile-payments-security/851
1441/
117
Mobile Security Worm Threat Targets Android
Devices
Source http//www.mobilecommercepress.com/mobile-
security-worm-threat-targets-android-devices/85128
23/
118
NFC
Source http//www.elatec-cards.com/products/telec
om/nfc/nfc-sim-cards/
119
Mobile Commerce Security
4
Requests and processes payment authorization from
PSP
Payment service provider (PSP)
Secured mobile
Internet network
Firewall
Merchant server
1
2
3
Validates unique inbound mobile transaction
fingerprint
Transmits encrypted transaction from mobile to
server
Generate a unique fingerprint for every
transaction
Bank
Source http//ecommercesecurity.co.uk/
120
References

Turban et al. (2010), Introduction to Electronic
Commerce, Third Edition, Pearson
???????? ????????

121
Tamkang University
Q A
Electronic Commerce Transaction
Security(????????)
??2014/7/03 (?) 14001700????????????R0111???
(???????????318?1?)
Min-Yuh Day ??? Assistant Professor ?????? Dept.
of Information Management, Tamkang
University ???? ?????? http//mail.
tku.edu.tw/myday/ 2014-07-03

Write a Comment

User Comments (0)