Security of Online Transactions

8/7/2019 Security of Online Transactions

1/46

Online Credit Cards Transactions

Online Shopping

Electronic Business

Automatic Teller Machines

L1F09MSCS0023

Sumaira Anwar


2/46

Over t e years, redit ards ave becomeoneof

t emost commonforms of ayment for online

transactions


3/46

1. transaction begins enacredit cardaccount number is enteredinto t e systemmanually by eit er t emerchant or thecardholder.

his enters the transaction information into the Processors net ork.

. n uthorization Request is generated.

. he Processor links up ith the Visa/Master ardnet ork inorder

to transmit the uthorization Request to the Issuing anks computernet ork.

4. he Issuing ank verifies that avalidcredit cardnumber has beenreceivedand that the ardholder has enoughmoney available tofundthe transaction.

5. hold for that amount is placedagainst the ardholders Openo uy thereby reducing theamount ofhis or her Open o uy for

future transactions.

6.Once theapproval is receiveda Deposit ransaction istransmitted hichfinalizes the transaction. hemerchant thenreleases the items purchased by the ardholder.

7. he Net Settlement mount is deposited to theMerchants accountusually by theendof the same business day.


4/46

First Virtual as oneof thefirst Internet payment systems to beavailable to thepublic, becomingfully operational inOctober of1994. maingoal of this company as tocreatean Internet paymentsystem that as easy touse. Neither buyers nor sellers are requiredto install new software, (thoughautomated saleprocessing softwareis available). If youhaveaccess to Internet email, youcan sell or buy

over the Internet using theFirst Virtual System

.

heFirst Virtual payment system is unique in that it does not useencryption. fundamental philosophy of their payment system is thatcertain information shouldnot travel over the Internet because it isanopennetwork. his includes credit cardnumbers. Insteadofusingcredit cardnumbers, transactions aredoneusingaFirst VirtualPINwhich references the buyer's First Virtual account. hese PIN

numbers can be sent over the Internet becauseeven if they areintercepted, they cannot beused tochargepurchases to the buyer'saccount. person's account is never chargedwithout emailverificationfrom themaccepting thecharge.


5/46


6/46

CyberCashhas been servicingcredit card transactions over theInternet since pril 1995. It has strong ties to thecurrent credit cardprocessing infrastructure, through ill Melton, afounder of Verifone,as oneof its fathers. heuseof their payment systemhas grown

tremendously over a year.CyberCashclaims that they processthousands of transactions aday, they can sendpayment transactionsto 8 % of the banks in merica, and tohavedistributedover 4 ,copies ofCyberCash Wallet software to buyers whouse their system.

It is important tonote that CyberCash is not acredit cardprocessingcompany. UnlikeFirst Virtual, they donot transfer funds into themerchant's account.CyberCash sells safepassageover the Internetfor credit card transactiondata. hey take thedata that is sent tothemfrom themerchant, andpass it to themerchant's acquiringbank for processing. xcept for dealingwith themerchant throughCyberCash's server, theacquiring bank processes thecredit cardtransactionas they wouldprocess transactions received throughapoint of sale (POS) terminal ina retail store.


7/46


8/46

Secure Electronic Transactions (SET) is an open protocol whichhas the potential to emerge as a dominant force in the securing ofelectronic transactions. Jointly developed by Visa andMasterCard,SET is an open standard for protecting the privacy, and

ensuring the authenticity, of electronic transactions. withoutprivacy, consumer protection cannot be guaranteed, and withoutauthentication, neither the merchant nor the consumer can be surethat valid transactions are being made.

The S Tprotocol relies on twodifferent encryptionmechanisms, aswell as anauthenticationmechanism. S Tuses symmetricencryption, in theformof the Data ncryption Standard (D S), as

well as asymmetric, or public-key, encryption to transmit sessionkeys for D S transactions

In the S Tprotocol, twodifferent encryptionalgorithms areused D S and RS .


9/46

Authentication is an important issue.Consumers musthavefaith in theauthenticity of themerchant, andmerchants must havefaith in theauthenticity of theconsumer.Authentication is critical toachieving trust inelectroniccommerce.

Authentication is achieved through theuseofdigitalsignatures. Usingahashingalgorithm, S Tcan signatransactionusing the senders private key.Thisproduces a small messagedigest, which is a series ofvalues that "sign" amessage. y comparing thetransactionmessageand themessagedigest, alongwith

the senders public key, theauthenticity of thetransactioncan beverified. Digital signatures areaimedat achieving the same level of trust as awrittensignaturehas in real life.This helps achievenon-repudiation, as theconsumer cannot later establishthat themessagewasn't sent usinghis private key.


10/46


11/46

Credit Card Fraud Payment

Theuseofcredit cardwith the increase inelectroniccommerceon the Internet for thepurchasehas becomeconvenient andnecessary. However, frauds incredit cardpayments arealsoon the increase, which is aworrying trend.

Thecredit card transactionprovides moreopportunities forthieves to steal credit cardnumbers andcommit fraud. Dueto thefraud thegenuinecustomer incurs loss ofmoney.Proactive business owners are seizedwith this problemandareactively educating their customers oncardcredit detectionfraudpayment.

Thecredit cardfraud is oneof themajor risks that arefacedby businesses nowdays.The recent survey says that there isincrease inonlinecrimeor the Internet fraud.Thehardest hitsare themid sizeand the lower sizecompanies that have lostover .5 % ofonline sales due tofraud.


12/46


13/46

Thefraudpayment can beeasily detected by

the recent improvements in theelectronics

commerce.Thus thanks to the increased

sophisticated encryption systems

verification services

transactionprocessing technology.


14/46


15/46

Address Verification Service

The AVS, or address verification service, is

used todetermine that theaddress providedby acustomer matches theaddress

associatedwithacredit cardaccount.


16/46

Card Verification Value

The CVV, or cardverificationvalue, sometimes referred

toas theCVV-2 is a three tofour digit number foundon

the back of , MasterCardand Visacards. Its on thecardbut not onany statements, so that ifan individual has

foundacredit card statement in the trash, they arent

able tocompletea sale that requires theCVV codefor

verificationpurposes. Knowing theCVV usually means that

thecardholder is inphysical possessionof thecredit card

andnot just usinga stolennumber that they got from

somewhere.


17/46

Online shopping is theprocess whereby consumers

directly buy goods or services froma seller in real-time,

without an intermediary service, over the Internet. Ifanintermediary service is present theprocess is called

electroniccommerce.


18/46

ConvenienceOnline stores areusually available24 hours aday, andmany consumers

have Internet access bothat work andat home.

Informationand reviewsOnline stores must describeproducts for salewith text, photos, and

multimediafiles

Priceand selectionOneadvantageof shoppingonline is beingable toquickly seek out deals

for items or services withmany different vendors and youcanmake

onlinepricecomparisons.


19/46

Fraudand security concerns

Given the lack ofability to inspect

merchandise beforepurchase, consumers are

at higher risk offraudon thepart of themerchant than inaphysical store.

Merchants also risk fraudulent purchases

using stolencredit cards or fraudulent

repudiationof theonlinepurchase.


20/46

Identity theft is still aconcernfor consumers

whenhackers break intoamerchant's web

siteand steal names, addresses andcredit

cardnumbers.


21/46

y Use identity theft protection services and keepcriminals away from sending you intofinancialruin.

y LifeLock

y ProtectMyIDy ID NTITY GUARD

y TrustedID

y IdentityTruth

y Debix

y ID Watchdog

y Equifax ID Patrol

y Intelius IDWatch

y IDarmor


22/46

Phishing is another danger, whereconsumers

arefooled into thinking they aredealingwith

a reputable retailer, when they haveactually

beenmanipulated intofeedingprivateinformation toa systemoperated by a

malicious party. Denial of serviceattacks are

aminor risk for merchants, as are server and

network outages.


23/46


24/46

y A solution tophishingattacks ofany kind is purchase'password-protection software.' Software likeRoboForm stores all your login informationon yourcomputer, inafileprotected by amaster password.Once you log in to RoboForm, it takes oneclick to log

in toapassword-protectedwebsite.The softwaregenerates them randomly and youcan becertain youhaveadifferent passwordfor every site.

Looks likewhile tabnabbing can beexploited byhackers, therearepreventativeforces at work to

catch them before they can take tabnabbing toanother level. Now, that's the kindofpreemptivestrike that works inour favor - catching thephisherbeforehecatches you!


25/46

Stickingwith known stores, or attempting tofind independentconsumer reviews of their experiences; alsoensuring thatthere is comprehensivecontact informationon thewebsitebeforeusing the service, andnoting if the retailer hasenrolled in industry oversight programs suchas trust mark ortrust seal.

efore buyingfromanewcompany, evaluate thewebsite byconsidering issues suchas: theprofessionalismanduser-friendliness of the site; whether or not thecompany lists atelephonenumber and/or street address alongwithe-contactinformation; whether afair and reasonable refundand returnpolicy is clearly stated; andwhether therearehiddenpriceinflators, suchas excessive shippingandhandlingcharges.

Ensuring that the retailer has anacceptableprivacy policyposted.For examplenote if the retailer does not explicitlystate that it will not shareprivate informationwithotherswithout consent.


26/46

Electronic business

Themost basicdefinitionofe-business is

simply this: using the internet toconnectwithcustomers, partners, and suppliers.

Toengage ine-business, companies need to

beable tounlock data in their back-end

computer systems, so they can shareinformationandconduct electronic

transactions withcustomers, partners, and

suppliers via the internet.


27/46


28/46

E-Business systems naturally havegreatersecurity risks than traditional businesssystems, therefore it is important for e-business systems to befully protectedagainst these risks.Afar greater number ofpeoplehaveaccess toe-businesses throughthe internet thanwouldhaveaccess toatraditional business.Customers, suppliers,

employees, andnumerous other peopleuseany particular e-business systemdaily andexpect their confidential information to staysecure.


29/46

Privacy andconfidentiality

Authenticity

Data integrity

Non-repudiation

Access control

Availability


30/46

Many different forms of security exist for e-

businesses. Somegeneral security guidelines

includeareas inphysical security, data storage,

data transmission, applicationdevelopment, and

systemadministration.


31/46

Despitee-business being business doneonline, thereare still physical securitymeasures that can be taken toprotect thebusiness as awhole.Even though business isdoneonline, the building that houses theservers andcomputers must beprotectedandhave limitedaccess toemployees andother persons.For example, this room should

only allowauthorizedusers toenter, andshouldensure that windows, droppedceilings, largeair ducts, and raisedfloors donot alloweasy access tounauthorizedpersons


32/46

Storingdata ina securemanner is very

important toall businesses, but especially to

e-businesses wheremost of thedata is stored

inanelectronicmanner. Data that isconfidential shouldnot be storedon thee-

business' server, but insteadmoved to

another physical machine to be stored. If

possible this machine shouldnot bedirectly

connected to the internet, and shouldalso

be stored ina safe location.The information

should be stored inanencryptedformat


33/46

All sensitive information being transmittedshould beencrypted.Businesses canopt torefuseclients whocan't accept this level ofencryption.Confidential and sensitiveinformation shouldalsonever be sentthroughe-mail. If it must be, then it shouldalso beencrypted.

Transferringanddisplaying secureinformation should be kept toaminimum.This can bedone by never displayingafullcredit cardnumber for example.


34/46

Security ondefault operating systems shouldbe increased immediately.All systemconfigurationchanges should be kept ina logandpromptly updated.

Systemadministrators should keepwatchforsuspicious activity within the business byinspecting logfiles and researching repeatedlogonfailures.They canalsoaudit their e-business systemand look for any holes in the

security measures.It is important tomakesureplans for security are inplace but also

to test the security measures tomake surethey actually work.


35/46

When it comes to security solutions, there

are somemaingoals that are to bemet.

Thesegoals aredata integrity, strong

authentication, andprivacy.


36/46

Toprotect themselves against attacks, organizations have

traditionally implementedavariety of technologies at thenetwork

boundary.These include:

Firewalls

aimedat excludingattackers by admittingonly certain types of

network traffic

Intrusion detection systems

that monitor thenetwork or specific resources for anomalies such

as thepresenceofunauthorized traffic

Filtersto removeviruses before they spread to thousands ofdesktops

Encryption

transforming texts or messages intoacodewhich is unreadable.


37/46

Digital certificates

Thepoint ofadigital certificate is to identify theowner ofadocument.This way the receiver knows thatit is anauthenticdocument.

Digital signaturesIfadocument has adigital signatureon it, no

oneelse is able toedit the informationwithoutbeingdetected.

Inorder touseadigital signature, onemust useacombinationofcryptography andamessagedigest


38/46


39/46


40/46

Security,as it relates toATMs, has several

dimensions.ATMs alsoprovideapractical

demonstrationofanumber of security

systems andconcepts operating together andhowvarious security concerns aredealt with.


41/46

Early ATM security focusedonmaking the

ATMs invulnerable tophysical attack; they

wereeffectively safes withdispenser

mechanisms.Anumber ofattacks on

ATMsresulted, with thieves attempting to steal

entireATMs


42/46

Another attack method, plofkraak, is to seal

all openings of theATMwith siliconeandfill

thevault withacombustiblegas or toplace

anexplosive inside, attached, or near theATM.This gas or explosive is ignitedand the

vault is openedor distorted by theforceof

the resultingexplosionand thecriminals can

break in.


43/46

The security ofATM transactions relies

mostly on the integrity of the secure

cryptoprocessor: theATMoftenuses

commodity components that arenotconsidered to be "trusted systems".

Encryptionofpersonal information, required

by law inmany jurisdictions, is used to

prevent fraud.

Sensitivedata inAT

Mtransactions areusually encryptedwith DES,

but transactionprocessors nowusually

require theuseofTriple DES


44/46

MessageAuthenticationCode (MAC)or Partial

MACmay also beused toensuremessages

havenot been tamperedwithwhile in transit

between theAT

Mand thefinancial network.


45/46

Therehavealso beenanumber of incidents

offraud by Man-in-the-middleattacks, where

criminals haveattachedfake keypads or card

readers toexistingmachines.T

hesehavethen beenused to recordcustomers' PINs and

bank card information inorder togain

unauthorizedaccess to their accounts.

Various ATMmanufacturers haveput inplace

countermeasures toprotect theequipment

they manufacturefrom these threats


46/46

Openings on thecustomer-sideofATMs areoftencovered by mechanical shutters toprevent tamperingwith themechanisms when they arenot inuse.Alarmsensors areplaced inside theATMand inATM servicingareas toalert their operators whendoors have been

opened by unauthorizedpersonnel. Rules areusually set by thegovernment or ATM

operating body that dictatewhat happens whenintegrity systems fail. Dependingon thejurisdiction, abank may or may not be liablewhenanattempt is

made todispenseacustomer's money fromanAT

Mandthemoney either gets outsideof theATM's vault, or wasexposed inanon-securefashion, or they areunable todetermine the stateof themoney after afailedtransaction.

Documents

Security of Online Transactions