Reasons for Not Buying Online 31% privacy/security (students 28%) 28% less customer service (22%) 9% not interactive enough (15%) 8% high prices (11%) 4% can't feel product (4%) Source: Ahuja, Gupta, Raman (2003)
see table at end of report
Need for Security “Internet is inherently insecure” “crimes can be committed
remotely” very little evidence for prosecutors
to use “programs automate hacking”
from Ghosh, 1998
Identity Theft 9.9 million identity fraud victims in
2008 usually not directly related to E-
Commerce email requests for information ("phishing")
rather than web site security failures women were 26 percent more likely to
be victims of identity fraud than men
Key Security Issues (PAIN) privacy - messages not read in transit authentication - be sure of identity of
seller possibly buyer also
integrity - messages not changed in transit
nonrepudiation - neither buyer or seller can deny they received message
PAIN Security Issue Examples Privacy (not intercepted)
message from A to B doesn't go to C also Authentication (not "spoofed")
message from C doesn't look like it's from A Integrity (not modified in transit)
A's message not modified by C before B sees it
Nonrepudiation (can't be denied) B can't say message from A not received,
and A can't say response from B not received
Public Key Cryptography public key given to anybody
e.g. on e-mail signature can find whole public keys at keyserver.net
(was down today) public key created from private key
private key is kept secret a shorter public "fingerprint" can be created
software uses a public key to encode data must have private key to decode message
Pretty Good Privacy (PGP) uses public key cryptography
free 30-day trial version GnuPG is a freeware replacement don't lose your keys!
government filed lawsuit against author corporate products for business security
e-mail, file transfer, etc. electronic commerce
Digital Certificate key element in most security schemes adds an attachment to an electronic
message that verifies the identity of sender
provides key to receiver to encode reply issued by a "certificate authority" (CA)
confirms identity of person/organization
Certificate Authority trusted 3rd party (not buyer or seller)
usually a bank, credit card company, etc.
issues digital certificates creates digital signatures and
public/private key pairs guarantees identity of certificate
holder
Some Certificate Authorities Verisign Thawte (21 day free trial) InstantSSL (free certificate, but
have to subscribe to a Root Authority later) guide to use
S/MIME secure extension to MIME
specification Multipurpose Internet Mail Extensions
is the standard that makes possible to include images, HTML formatting etc. in email
built into many email readers Outlook, Outlook Express, Apple Mail, etc.
MIME security problems in past
OpenPGP nonproprietary protocol for
encrypting email and messages can be used by any company without
paying licensing fees bought back from Network Associates
in 2002 offers an alternative to S/MIME
some vendors are implementing both in their software
Image Recognition Tests CAPTCHA - completely automated
public Turing test to tell computers and humans apart
designed to foil software programs (bots) that get data from web sites
very difficult for software to identify characters but not so hard for humans
email unsubscribe example
Security Protocols and Systems SSL - secure sockets layer SET - secure electronic
transactions Cybercash
SSL - Secure Sockets Layer from Netscape, built into their browsers uses public key cryptography
40 or 128 bit keys (every extra bit doubles the security e.g., 10 bits more = x 1000)
authenticates that data comes from URL address requested by user not from another site pretending to be
that site ensures that data isn’t changed in transit
Secure Sockets Layer - 2 need to enable and configure SSL on server
Netscape server or using Netscape’s SSLRef program
library an ISP can handle this for you
need to identify specific pages requiring SSL access web address starts with https (S is for
secure; see Blackboard login, etc.) web page author implements this
Secure Sockets Layer - 3 need to get a “certificate”
certificate proves identity of your company Verisign charges $399 for retail sites (40
bits, 1 year, $100,000 loss coverage) search for organizations with certificates
certificates not popular with consumers use passwords instead on your site to verify
customers’ identities
Secure Sockets Layer - 4 advantages
established in marketplace relatively inexpensive doesn't require anything special from
user disadvantage
extra processing slows down server
Microsoft's Windows Live ID formerly called Passport Network electronic "wallet" for card
number, name, address and other information
automates purchase user doesn't have to type in much
information free to consumers
.NET Passport supposedly has a lot of users
have to sign up to use new MS software eBay stopped accepting it at end of 2004 do you know anybody actually using it? security problem in 2003
Microsoft also used to offer a Kids Passport for parental control of release of information
Liberty Alliance an alternative to Microsoft's
propriety approach to Passport participating organizations can
maintain their own data rather than letting Microsoft hold it
is an "open standards" approach currently emphasizing preventing
identity theft
Cybercash concept was to make it possible to
get a little bit of money from a lot of customers 1¢ x 1 million customers = $10,000 up to this point, can't cost effectively
process lots of very small transactions PayPal doesn't handle really small
transactions, but is strong in this niche
PayPal lets users pay by email strong relationship with E-Bay (online
auctions), then bought by E-Bay handles eighteen currencies worldwide 50 million accounts
free personal use, but businesses receiving payments are charged a fee fixed 30 cents and 1.9-2.9 % of amount
PayPal Vulnerabilities? use by organized crime led to fines
and being prohibited for a while in some states
at one time could be hacked so that that buyers could reduce item prices or get software for free one vendor is selling a proposed
solution to the above vulnerabilities
Mobile Payments buy things via a mobile device, using
cell phone number as password usually involve "virtual goods"—
music, games, etc. very cheap when sold in large volumes typically sell for around $2 or less phone carrier may get up to half of cost Investors Bet on Payments via Cellphone
Common E-Commerce Security Vulnerabilities
SQL injection attack includes SQL syntax characters (e.g., single quote) or keywords in user inputs error messages may reveal ways to
access restricted pages Guess.com and Petco.com sites were
found to be vulnerable to such attacks
Security Vulnerabilities - 2 total cost of order can be reduced
payment confirmation page holds total cost in an HTML hidden field
a "web application proxy" can change the data sent back to the server, so that when user confirms transaction, the amount is less than actual cost (free web application proxy security tool)
Security Vulnerabilities - 3 buffer overflows (e.g., caused by
pasting a lot of text [6000+ bytes] into a text box) may print error messages that reveal path to specific code functions that can be used to hack into sites
Security Vulnerabilities - 4 cross-site scripting
inserts script (e.g., JavaScript) into text that is sent back to a new web page
for example, a search engine sends the keywords back with the results page
script could be used to get information from a cookie on user's machine
or user might be redirected to a "phishing" web site and asked for password
Exercise test some online forms
eCommerce, mortgage refinancing, etc. include "special characters" in inputs
' (single quote), " (double), < (HTML), <% (ASP), <? (XML), \ (escape), +, ? or * (wild card characters), & (concatenation), @ (email or compiler directive), others?
report back on what happened
References Ahuja, A., Gupta, B., and Raman, P., "An Empirical
Investigation of Online Consumer Purchasing Behavior," Communications of the ACM, December, 2003, pp. 145-151.
Dembeck, C., "Online Credit Card Security Fears Waning, But Still a Factor," E-Commerce Times, March 8, 2000 .
Ghosh, A. K, "Security in Internet Electronic Commerce," invited presentation to Defending Cyberspace '98, September 24, 1998, Washington, D.C.
Internet Marketing Center, "Enabling Technologies: Encryption Overview," Internet Marketing Center
Mookey, K. H., "Common Security Vulnerabilities in e-commerce Systems," Security Focus, April 26, 2004.