310 likes | 447 Views
An Investigation into E-Commerce Frauds and their Security Implications . By Kevin Boardman Supervisor: John Ebden 1 November 2004. About me. Joint Computer Science and Information Systems Honours. Interest in computer security and its implications in e-commerce.
E N D
An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004
About me • Joint Computer Science and Information Systems Honours. • Interest in computer security and its implications in e-commerce. • Email: g01b0633@campus.ru.ac.za
Definition of project in one sentence • An investigation into e-commerce frauds, and how they are best avoided by internet merchants.
What is E-commerce ? • “E-commerce focuses on the electronic exchange of information using information and telecommunications infrastructures to perform a wide range of commercial activities that can be divided into business-to-consumer and business-to-business sectors” - Hutchinson and Warren [2003] • Project focuses on business-to-consumer
Importance of E-Commerce • Electronic commerce is a “strategic imperative for most competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies” - VeriSign [2004]
E-Commerce statistics • General increase in the use of e-commerce around the world. • The number of online banking accounts in South Africa grew by 28% to 1.04 million in the last year. These figures are expected to increase to 30% in 2004. • 17 percent of Americans used online banking services by the end of 2002 and this figure will continue to grow by 14 percent up to the end of 2007. • US Online Retail revenue is projected to increase from $ 47.8 Billion in 2002 to 130.3 billion in 2005
Fraud statistics • Fraud complaints rose by around two-thirds in the US according to the Federal Trade Commission (FTC) from 2001 to 2002. • The cost of fraud in 2002 more than doubled that in 2001.
Result of combination of statistics • “Hacker cleans out bank accounts.” • “Hundreds of thousands of rands stolen via Internet from Absa clients.” • Who covers the costs? Irreversible damage to Absa’s image. • “New security fears for web banking” • “Major online credit card theft exposed” • Why are these breaches still taking place?
My Approach • Identify types of threats, types of attacks, methods of attack and opportunities for attack in the e-commerce transaction. • Identify requirements of secure e-commerce and mechanism used to secure e-commerce. • Critically analyse e-commerce security mechanisms • Analyse e-commerce fraud case studies • Formulate options and recommendations for securing e-commerce.
Threats • Vandalism and sabotage – defacing web site • Denial of service – flooding of service • Breach of privacy or confidentiality – disclosure of personal info • Theft and fraud – theft and use of credit card number • Violations of data integrity – changing of an orders delivery address • Repudiation – denying a transaction took place
Securing E-Commerce • 3 Fronts 1. Merchant - System offering service - Web server and OS - Firewalls, encrypted data stores 2. Transport - Channel between the client and merchant - Protocols (SSL, SET) 3. Client - System accessing the service - Difficult to secure and control
E-commerce Security Requirements • Four basic security requirements of e-commerce transactions : • Authentication – proof of identity • Confidentiality – keeping data “secret” • Data integrity – Ensuring data doesn’t change while transported by unauthorised entity • Non-repudiation - prevents a denial of actions by a person or entity
Mechanisms used to secure e-commerce • SSL • Payment Protocols • Pseudo Card Numbers Used in combination with: • Passwords, Tokens, and Biometrics for authentication
Secure Socket Layer (SSL) • Provides confidentiality, authentication, and data integrity through the use of PKI. • Resides above the transport layer and below the application layer at the socket layer in the protocol stack. • Most prominent e-commerce protocol
SSL - Downfalls • Does not provide non-repudiation or facilitate transferring of payments. • Leaves payment details up to merchant. • Credit Card details can be read by the merchant and may be vulnerable to theft if the data store is not encrypted.
Scenario 1 • Insecure Merchant
Scenario 2 • Illegitimate Merchant
Payment Protocols • Merchant has no need to read credit card details • Guarantee the merchant receives payment • Keeps credit card details confidential • Eliminates storage of credit card details on merchants system
Scenario 3 • Payment protocol
Secure Electronic Transactions (SET) • Technical standard for secure payments focusing on credit cards • Developed by MasterCard and VISA. • Failed to be adopted. Why? • Certificate management was cumbersome • Comparatively Slow and Expensive to implement. • Non portable.
Pseudo credit card numbers • Temporary credit card numbers that are valid for 1 transaction only. • Advantages: • No insecure merchant problem. • Easy and cost effective to implement – transparent to merchant.
Pseudo Credit Card Numbers (Cont) • Disadvantages • Relatively new and not yet widely adopted • Merchant may have to stop accepting real credit card numbers.
CD Universe Case Study • In 1999 hacker broke into CD Universe’s systems stealing 300 000 credit card numbers. • Hacker demanded $100 000 or would release the details publicly. • Demand was not met and the hacker published details allowing the download of 25 000 number by several thousand visitors.
CD Universe Case Study • Suggested cause of intrusion: • Credit cards stored unencrypted (Insecure Merchant problem) • MSNBC follow up found that many e-commerce site’s credit card databases can be accessed simply by connecting through a SQL Server. • Many have no encryption, or authentication.
Options and Recommendations • Options involving SSL only or SSL along with a client authentication techniques have major weaknesses. • SSL in combination with pseudocard numbers is technically more secure and easy to adopt, but not widely enough adopted. • Payment protocols in combination with client authentication techniques are the most viable and secure methods of securing payment.