Network Security

Van K Nguyen - HUT

Electronic Payment Systems: Overview

Agenda

Electronic commerce concepts

Electronic payment systems overview
E-payment security
Payment security services
Material in this twin lecture is based on this
book: Security Fundamental for Electronic
Commerce by Vesna Hassler [Artech House and
Pedrick Moore, technical editor (2001) ]

Electronic commerce & secure transactions

E-commerce can be defined as any transaction involving

some exchange of value over a communication network

Business-to-business transactions, such as EDI (e- data interchange)

Customer-to-business transactions, such as online shops on the Web

customer-to-bank transactions as e-banking

Customer-to-customer transactions, such as transfer btw e-wallets

Customers/businesses-to-public administration transactions, such as
filing of electronic tax returns

usually referred to as e-business

Also usually referred to as e-government.

Here we care: Customer-to-business transactions

Sep 2010

on the electronic payment systems that provide a secure way to

exchange value between customers and businesses
Information Security by Van K Nguyen
Hanoi University of Technology

Electronic Payment Systems

E-payment systems evolved from traditional payment

systems

Both have much in common

But e-payment systems are much more powerful, because of the
advanced security techniques that have no analogs in traditional
payment systems.

An e-payment system denotes any kind of network

service that provides the exchange of money for goods or
services:

Sep 2010

physical goods: books, CDs

electronic goods: e- documents, images, or music files
traditional. Services: hotel or flight booking
e-services, such as financial market analyses in electronic form
Information Security by Van K Nguyen
Hanoi University of Technology

A typical e-payment system

The provider runs a payment gateway

reachable from the public network (Internet) and from a private

interbank clearing network.
serves as an intermediary between the traditional payment
infrastructure and the e-payment infrastructure.

In order to participate in, a customer and a merchant must

be able to access the Internet

register with the corresponding payment service provider.
each have a bank account at a bank that is connected to the
clearing network.

Sep 2010

The customers bank is usually referred to as the issuer bank

The term issuer bank denotes the bank that actually issued the payment
instrument (e.g., debit or credit card) that the customer uses for payment
The acquirer bank acquires payment records (i.e., paper charge slips or e-data)
from the merchants
Information Security by Van K Nguyen
Hanoi University of Technology

A typical e-payment system

On purchase of goods/services,
C pays a certain amount of
money to M with debit/credit card.

Before supplying goods/services, M

asks gateway G to authorize C and his
payment instrument (card number )
G contacts the issuer bank to check.
If all fine, money is withdrawn (or
debited) from the Cs account and
deposited in (or credited to) Ms
account
G notifies of the successful payment
to the merchant M supply the
ordered items to C.

In some cases, e.g. for low-cost services, delivery can be made before
the actual payment authorization/transaction
Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

Off-line vs. On-line

Off-line systems: no current connections from the

customer/merchant to their respective banks
M cant authorize C with the issuers bank
Also, it is difficult to prevent C from spending more money than
actually possesses
most proposed Internet payment systems are online.

Online systems:

Require online presence of an authorization server, which can be a

part of the issuer or the acquirer bank.
requires more communication, but it is more secure than off-line
systems

However, off-line still possible e.g. in some e-cash systems

Sep 2010

using some special strong cryptographic tools

Information Security by Van K Nguyen
Hanoi University of Technology

Debit-based vs. credit-based systems

In a credit-based payment system (e.g., credit

cards) the charges are posted to the payers
account

The payer later pays the accumulated amounts to the

payment service.

In a debit-based payment system

Sep 2010

e.g., debit cards, checks

the payers account is debited immediately, that is, as
soon as the transaction is processed

Information Security by Van K Nguyen

Hanoi University of Technology

Micro vs. macro

Macro-payment: relatively large amounts of money can

be exchanged
Micropayment system: small payments

e.g., up to 5 euros

The order of magnitude plays a significant role in the

design of a system and its security policies.

It makes no sense to implement expensive security protocols to

protect e- coins of low value.

Sep 2010

In such a case, should instead prevent large-scale attacks in which huge

numbers of coins can be forged or stolen.

Information Security by Van K Nguyen

Hanoi University of Technology

Payment instruments

Traditional payment instruments

E-payment systems introduced new instruments:

Paper money, credit cards and checks

electronic money (also called digital money)

electronic checks

Two main groups of instruments

cash-like: money taken from account before payment

payer withdraws a certain amount of money (e.g., paper money,

electronic money) from his account

check-like: after

payer sends a payment order to the payee the money will be withdrawn from
the payers account and deposited into the payees.
The payment order: paper e.g., a bank-transfer slip, or an e-document e.g. an echeck.

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

10

Payment using credit cards

Most popular

The first credit cards were introduced decades ago (Diners Club
in 1949, American Express in 1958)

Material

Sep 2010

For a long time, most are with magnetic stripes containing

unencrypted, read-only information
Now, many are smart cards containing hardware devices (chips)
offering encryption and far greater storage capacity
Recently even virtual credit cards (software electronic wallets),
such as one by Trintech Cable & Wireless

Information Security by Van K Nguyen

Hanoi University of Technology

11

Typical credit card transaction

(1) C sends M credit card info (i.e., issuer, expiry date, number)
(2) M asks the acquirer bank A for authorization
(3) A checks with I - the issuer bank then A notifies M if approved.
(4) M send the ordered goods/services to C
(5a) M present the charge (or a batch of several transactions) to A

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

12

Typical credit
card transaction

(6) Settlement:

A sends a settlement request to I; I places the money into an interbank settlement

account and charges the amount of sale to Cs credit card account.

(7) Notification

At regular intervals (e.g., monthly) I notifies C of the transactions and their

accumulated charge
C pays the charges by some other means (e.g., direct debit order, bank transfer,
check).

(5b) A has obtained the amount of sale from the interbank settlement
account and credited Ms account
Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

13

Using credit cards: security problems

Generally, fraudulent use of credit card numbers stems

from

eavesdroppers
dishonest merchants

Credit card numbers can be protected against

Sep 2010

Eavesdroppers alone by encryption e.g. using SSL

Dishonest merchants alone by using kind of pseudonyms of
credit card numbers
Both eavesdroppers and dishonest merchants by encryption and
dual signatures

Information Security by Van K Nguyen

Hanoi University of Technology

14

Electronic money

Electronic representation of traditional money.

If C wants to buy digital coins

contacts a broker B, orders a certain amount of coins

pays with real money
C can make purchases from any M that accept the coins of that B

M redeem at Bs the coins obtained from all C

A unit of e-money is usually referred to as an e- or digital coin

Digital coins are minted i.e., generated by brokers

B takes back the coins and credits Ms account with real money.

Typical electronic money transaction

the issuer bank can be the broker at the same time.

C & M must each have a current or checking account.

Sep 2010

The checking account: transition. form between the real money and e- money
Information Security by Van K Nguyen
Hanoi University of Technology

15

Typical E-money transaction

(0) Coin withdrawal: C buys coins
and his checking account is
debited
(1) C uses the digital coins to
purchase in the Internet
(2) M sends C goods or services

Since often used to buy low-value

services or goods M usually fills Cs
order before or even without payment
authorization

(3) Redemption: M then sends a request to the acquirer bank.

(4) Settlement: By using an interbank settlement mechanism similar,
the acquirer bank redeems the coins at the issuer bank and credits
Ms account with the equivalent amount

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

16

Electronic checks

Electronic equivalents of traditional paper checks

E-document that shows the following:

Sep 2010

Check number
Payers name
Payers account number and bank name
Payees name
Amount to be paid
Currency unit used
Expiration date
Payers electronic signature
Payees electronic endorsement
Information Security by Van K Nguyen
Hanoi University of Technology

17

Typical e-check transaction

(1) C orders goods/services and
M sends back e- invoice
(2) As payment, C sends an
electronically signed e-check

E-signature is a general term

that includes, among other
things, digital signatures
based on PKC

(3) As with paper checks, M

endorses the check
(4) Settlement: The issuer and the acquirer banks arrange transferring
the amount of sale from Cs account to Ms account.
(5) shipping/delivery
Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

18

Electronic wallets

Stored-value software or hardware devices

loaded with specific value

Current trend: using the smart card technology.

CAFE project (Conditional Access for Europe, funded under the

European Communitys ESPRIT program

by increasing a currency counter

by storing bit strings representing e-coins

a small portable computer with an internal power source

a smart card

Electronic money can be loaded online

point-of-sale (POS) terminals

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

19

Smart card technology

Plastic card with embedded microprocessor and memory

Smart card-based electronic wallets

used as either a credit card

storage of electronic money or an electronic check device
combination
reloadable stored-value (prepaid) cards, for small payments
Owners account is debited beforehand
The owner can load the card at an ATM
Shops with corresponding card readers at the cash register

Examples

Sep 2010

Austrian Quick1 and Belgian Proton systems

SET (Secure Electronic Transactions), an open specification for
secure credit card transactions over open networks
Information Security by Van K Nguyen
Hanoi University of Technology

20

Electronic Payment Security

The security problems of traditional payment systems

Money can be counterfeited

Signatures can be forged;
Checks can bounce.

Electronic payment systems have the same problems

and further:

Sep 2010

Digital documents can be copied perfectly and arbitrarily often

Digital signatures can be produced by anybody who knows the
private key
A payers identity can be associated with every payment
transaction

Information Security by Van K Nguyen

Hanoi University of Technology

21

Electronic Payment Security

E-commerce can not be widespread without additional

security measures which enable e-payment systems
A properly designed e-payment system can provide better
security than traditional payment systems
Three types of adversaries can be encountered:

Outsiders eavesdropping and misusing the evavesdropped

data(e.g., credit card numbers)
Mallicious attackers sending forged messages to authorized users

Sep 2010

cause abnormal system functioning

or to steal the assets exchanged (e.g., goods, money)

Dishonest users trying to obtain and misuse unauthorized payment

transaction data
Information Security by Van K Nguyen
Hanoi University of Technology

22

Basic security requirements for epayment systems

Payment authentication

Payment integrity

Payment transaction data cannot be modifiable by unauthorized

principals

Payment authorization

Both payers and payees must prove their payment identities

This not necessarily imply that a payers identity is revealed(as if
anonymity is required)

Ensures that no money can be taken from a customers account

or smart card without his explicit permission

Payment confidentiality

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

23

Payment Security Services

Satisfying the security requirements of E-payment

system more than just communications security
services
a payment system may have conflicting security
requirements

E.g. wants anonymity for digital coins, but require identification of

double-spenders.

an e- payment system for high-value transaction need a

more elaborate (so more expensive) security policy than
micropayment
Payment security services fall into three main groups
depending on the payment instrument used.

Sep 2010

Information Security by Van K Nguyen

Hanoi University of Technology

24

(Payment) transaction security services

User anonymity

Location untraceability

selectively protects against disclosure of specific parts of transaction data to selected

principals from the group of authorized principals;

Nonrepudiation of payment transaction messages

protects against linking of two different transactions of the same customer

Confidentiality of payment transaction data

protects against disclosure of a payers identity in a transaction;

Payment transaction untraceability

protects against disclosure of where a payment transaction originated;

Payer anonymity

protects against disclosure of a user.s identity in a network transaction;

protects against denial of the origin of transaction messages

Freshness of payment transaction messages

Sep 2010

protects against replaying of payment transaction messages.

Information Security by Van K Nguyen
Hanoi University of Technology

25

Digital money security

Protection against double spending

Protection against forging of coins

prevents multiple use of electronic coins

prevents production of fake digital coins by an
unauthorized principal

Protection against stealing of coins

Sep 2010

prevents spending of digital coins by unauthorized

principals

Information Security by Van K Nguyen

Hanoi University of Technology

26

E-check security

The third group of services is based on the techniques

specific to payment systems using electronic checks as
payment instruments. There is an additional service
typical of electronic checks:

Sep 2010

Payment authorization transfer (proxy).makes possible the

transfer of payment authorization from an authorized principal to
another principal selected by the authorized principal.

Information Security by Van K Nguyen

Hanoi University of Technology

27