Transcript Document 7168421

An Investigation into
E-Commerce Frauds and
their Security Implications
By Kevin Boardman
Supervisor: John Ebden
1 November 2004
About me
Joint Computer Science and Information
Systems Honours.
 Interest in computer security and its
implications in e-commerce.
 Email: [email protected]

Definition of project in one
sentence

An investigation into e-commerce frauds,
and how they are best avoided by internet
merchants.
The Problem and Background
What is E-commerce ?
“E-commerce focuses on the electronic
exchange of information using information
and telecommunications infrastructures to
perform a wide range of commercial
activities that can be divided into businessto-consumer and business-to-business
sectors” - Hutchinson and Warren [2003]
 Project focuses on business-to-consumer

Importance of E-Commerce

Electronic commerce is a “strategic
imperative for most competitive
organisations today as it is a key to finding
new sources of revenue, expanding into
new markets, reducing costs, and creating
breakaway business strategies” - VeriSign
[2004]
E-Commerce statistics




General increase in the use of e-commerce
around the world.
The number of online banking accounts in South
Africa grew by 28% to 1.04 million in the last
year. These figures are expected to increase to
30% in 2004.
17 percent of Americans used online banking
services by the end of 2002 and this figure will
continue to grow by 14 percent up to the end of
2007.
US Online Retail revenue is projected to
increase from $ 47.8 Billion in 2002 to 130.3
billion in 2005
Fraud statistics

Fraud complaints rose by around twothirds in the US according to the Federal
Trade Commission (FTC) from 2001 to
2002.

The cost of fraud in 2002 more than
doubled that in 2001.
Fraud statistics (Continued)
Internet Related Frauds reported to Consumer
Sentinal from 2001 to 2003
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Number of reported
frauds
2001
2002
2003
Result of combination of
statistics

“Hacker cleans out bank accounts.”

“Hundreds of thousands of rands stolen via Internet from
Absa clients.”

Who covers the costs? Irreversible damage to Absa’s image.

“New security fears for web banking”

“Major online credit card theft exposed”

Why are these breaches still taking place?
My Approach
1.
Identify types of threats, types of attacks, methods of attack and
opportunities for attack in the e-commerce transaction.
2.
Identify requirements of secure e-commerce and mechanism
used to secure e-commerce.
3.
Critically analyse e-commerce security mechanisms
4.
Analyse e-commerce fraud case studies
5.
Formulate options and recommendations for securing ecommerce.
Threats






Vandalism and sabotage – defacing web site
Denial of service – flooding of service
Breach of privacy or confidentiality – disclosure
of personal info
Theft and fraud – theft and use of credit card
number
Violations of data integrity – changing of an
orders delivery address
Repudiation – denying a transaction took place
Securing E-Commerce

3 Fronts
1. Merchant - System offering service
- Web server and OS
- Firewalls, encrypted data stores
2. Transport - Channel between the client and
merchant
- Protocols (SSL, SET)
3. Client - System accessing the service
- Difficult to secure and control
E-commerce Security
Requirements

Four basic security requirements of ecommerce transactions :
Authentication – proof of identity
2. Confidentiality – keeping data “secret”
3. Data integrity – Ensuring data doesn’t
change while transported by unauthorised
entity
4. Non-repudiation - prevents a denial of
actions by a person or entity
1.
Mechanisms used to secure ecommerce
SSL
 Payment Protocols
 Pseudo Card Numbers
Used in combination with:
 Passwords, Tokens, and Biometrics for
authentication

Secure Socket Layer (SSL)
Provides confidentiality, authentication,
and data integrity through the use of PKI.
 Resides above the transport layer and
below the application layer at the socket
layer in the protocol stack.
 Most prominent e-commerce protocol

SSL - Downfalls
Does not provide non-repudiation or
facilitate transferring of payments.
 Leaves payment details up to merchant.
 Credit Card details can be read by the
merchant and may be vulnerable to theft if
the data store is not encrypted.

Scenario 1

Insecure Merchant
Scenario 2

Illegitimate Merchant
Payment Protocols
Merchant has no need to read credit card
details
 Guarantee the merchant receives payment
 Keeps credit card details confidential
 Eliminates storage of credit card details on
merchants system

Scenario 3

Payment protocol
Secure Electronic Transactions
(SET)



Technical standard for secure payments
focusing on credit cards
Developed by MasterCard and VISA.
Failed to be adopted. Why?
 Certificate
management was cumbersome
 Comparatively Slow and Expensive to implement.
 Non portable.
Pseudo credit card numbers
Temporary credit card numbers that are
valid for 1 transaction only.
 Advantages:

 No
insecure merchant problem.
 Easy and cost effective to implement –
transparent to merchant.
Pseudo Credit Card Numbers
(Cont)

Disadvantages
 Relatively
new and not yet widely adopted
 Merchant may have to stop accepting real
credit card numbers.
CD Universe Case Study



In 1999 hacker broke into CD Universe’s
systems stealing 300 000 credit card numbers.
Hacker demanded $100 000 or would release
the details publicly.
Demand was not met and the hacker published
details allowing the download of 25 000 number
by several thousand visitors.
CD Universe Case Study

Suggested cause of intrusion:
 Credit
cards stored unencrypted (Insecure
Merchant problem)
 MSNBC follow up found that many ecommerce site’s credit card databases can be
accessed simply by connecting through a
SQL Server.
 Many have no encryption, or authentication.
Options and Recommendations



Options involving SSL only or SSL along with a
client authentication techniques have major
weaknesses.
SSL in combination with pseudocard numbers is
technically more secure and easy to adopt, but
not widely enough adopted.
Payment protocols in combination with client
authentication techniques are the most viable
and secure methods of securing payment.
Questions