Threats Are Divided in Major Two Categories: Internet Security
Threats Are Divided in Major Two Categories: Internet Security
Threats Are Divided in Major Two Categories: Internet Security
Internet Security:
Security threats goes on emerging in Internet world due to mobile codes (software agents
or rogue software) which are responsible to create virus threat
Mobile codes is software agent which have ability to move from one computer to other
and also have ability to get themselves invoked without the external influence
Security threats arise when downloaded data is passes through local interpreter on client
machine without users knowledge. Client threats arises mostly due to malicious code
refers to viruses like Trojan horse, worms rabbits, chameleon, ordinary software bombs,
timed software bombs and logical software bombs
Threats to Server:
Most common form of denial of service attacks is service overloading and message
overloading
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 1/33
UNIT-V SYSTEM SECURITY
Service Overloading:
Servers are vulnerable to service overloading for ex we can easily overload www server
by writing small loop that send request continuously for a particular file to server. Server
tries to respond as it assumes the request is genuine one Hence while providing services
to all the request a stage will reach when server is not able to satisfy the need or request
so it deny for providing services to the request i.e. Denial of service will occur due to
overloading of the server
Message Overloading:
Message overloading will occur when someone sends a very large file to the message box
of sever at every few seconds. Due to of which message box grows in size and begins to
occupy the hard disk space and increases they no of receiving processes on recipient
machine and thereby causes disk crash
Virus: -
• A program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves.
All computer viruses are manmade.
• Computer “Viruses” and related programs have the ability to replicate themselves
on an ever increasing number of computers. They originally spread by people
sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 2/33
UNIT-V SYSTEM SECURITY
are very hard to detect before the payload activates (Trojan Horses, Trap Doors,
and Logic Bombs).
7 Types of Viruses
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 3/33
UNIT-V SYSTEM SECURITY
• Similar to boot sector virus except viral code is located in different area.
• Prevents computer from booting.
• Examples: NYB, AntiExe, and unashamed (Symantec.com)
Multi-Partite Viruses
Companion Viruses
• Execute through operating system rather than directly infecting programs or boot
sectors.
• When you execute the command ‘ABC’, ABC.COM executes before
ABC.EXE Thus, a companion virus could place its code in a COM file with
its first name matching that of an existing EXE file. When the user next
executed the ‘ABC’ command, the virus’ ABC.COM program would be
run.
• Executable Viruses - These are viruses hidden within executable files or posing
as executable files.
• Visual Basic Script Viruses - Visual Basic Script (VBS) is a powerful
programming language built into Windows. VBS viruses can send emails,
delete files, rename files etc. VBS viruses often pretend to be something that
they are not.
• Boot Sector Virus - resides in the boot sector of a hard disk or floppy. The boot
sector is that portion of a disk that gives it its identity. After a given number of
boots, the virus activates and the system is usually destroyed.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 4/33
UNIT-V SYSTEM SECURITY
• Stealth Virus - Can be any one of the previously mentioned types, but were
designed to defeat anti-viral scanning and other anti-viral detection software and
methods.
• Macro Viruses – These are very common and make use of the macro
functionality in Microsoft Office. Macros are mini-programs that allow users to
automate various commands within the program.
Worm
• Self-replicating program that are self contained and doesn’t require host
program. It creates copies of itself and executes them and generally it
utilizes the network services to propagate to other host system. They will
consume all resources on network and affects response time
Rabbits
• Rabbits are similar to worms they too are full programs. However as soon as they
are executed they are replicating themselves on the disk until its capacity is
exhausted this process is then repeated on other nodes so that complete network
comes to stand still.
• Rabbits are less harmful as compared to worms since they are easily
detected.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 5/33
UNIT-V SYSTEM SECURITY
Trojan Horse
• Program which appears to be harmless but has piece of code which is very
harmful . Trojan horse is derived from the greek mythology Trojan horse here
means to fool the common users , Hence all the rogue s/w delivered comes under
this category
• The term comes from a story in Homer's Iliad, in which the Greeks give a giant
wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after
the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the
horse's hollow belly and open the city gates, allowing their compatriots to pour in
and capture Troy
• One of the most insidious types of Trojan horse is a program that claims to rid
your computer of viruses but instead introduces viruses onto your computer.
S/w bombs are the piece of code segment, which “explodes” as soon as it
executed without any delay and brings system to grinding halt
Similar to ordinary software bomb except that it becomes active only at specific time or
frequency
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 6/33
UNIT-V SYSTEM SECURITY
Similar to ordinary software bomb , except its activated only if the logical condition is
satisfied(e.g. Delete employees master data when gross salary exceeds say 10,000)
Chameleon:
Are similar to Trojan horses It normally seems like a useful and correct program and
throws a logon screen to collect all the valid user names and passwords and then display
a message system shut down and then it makes the utilization of collected password later
on
Backdoor
Malware
Spyware
• Also called adware, spyware is any software that covertly gathers user
information through the user's Internet connection without his or her knowledge,
usually for advertising purposes.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 7/33
UNIT-V SYSTEM SECURITY
• Once installed, the spyware monitors user activity on the Internet and transmits
that information in the background to someone else.
• Spyware can also gather information about e-mail addresses and even passwords
and credit card numbers.
• Spyware is similar to a Trojan horse in that users unwittingly install the product
when they install something else.
• Aside from the questions of ethics and privacy, spyware steals from the user by
using the computer's memory resources and also by eating bandwidth as it sends
information back to the spyware's home base via the user's Internet connection.
• Because spyware is using memory and system resources, the applications running
in the background can lead to system crashes or general system instability.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 8/33
UNIT-V SYSTEM SECURITY
Klez
http://www.virus.uga.edu/klezalrt.html
Sircam
http://www.virus.uga.edu/scalrt.html
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 9/33
UNIT-V SYSTEM SECURITY
Nimda
http://www.f-secure.com/v-descs/nimda.shtml
Nimda
– Mass mailing
• It then locates e-mail addresses from your e-mail client as well as searching local
HTML files for additional addresses. Then it sends one e-mail to each address.
These mails contain an attachment called README.EXE, which might be
executed automatically on some systems.
– Web worm
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 10/33
UNIT-V SYSTEM SECURITY
• Nimda starts to scan the internet, trying to locate web servers. Once a web server
is found, the worm tries to infect it by using several known security holes. If this
succeeds, the worm will modify random web pages on the site, which if viewed
may infect the web surfer’s computer.
Hybris
http://www.fsecure.com/v-descs/hybris.shtml
Magistr
http://www.fsecure.com/v-descs/magistr.shtml
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 11/33
UNIT-V SYSTEM SECURITY
Magistr
– Depending on its internal counters the virus manifests itself: it gets access to
Windows desktop and does not allow access to icons on the desktop by mouse.
When mouse cursor is moved to an icon, the virus moves the icon out of the cursor.
It looks like desktop icons try to "escape" mouse cursor.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 12/33
UNIT-V SYSTEM SECURITY
YES!!!
• The number of known viruses surpassed 50,000 in August 2000. According to the
anti-virus vendor, Sophos the number of new viruses discovered every month
continues to rise.
• Virus trends between 1999 and 2001 illustrate the threat to an e-mail system.
• In 1999, 1 in 1400 e-mails contained a virus. In 2000, it was 1 in 700, and 1 in
300 this year. Message Labs, an anti-virus vendor that specializes in scanning e-
mail, predicts that if trends continue that by 2008, 1 in 10 e-mails will contain a
virus.
• There are 808 viruses listed on the May 2002 WildList and Supplemental list.
• For a virus to be considered “in the wild”, it must be spreading as a result of
normal day-to-day operations on and between the computers of unsuspecting
users.
Methods of Attack
• E-Mail Attachments
• Web Pages
• Open Network Shares (Peer to Peer Networking)
• Internet Relay Chat & Instant Messaging
• Floppy Disks
• MS Office Document Macros
• Macromedia Flash Documents
• And, new ways appearing all the time…
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 13/33
UNIT-V SYSTEM SECURITY
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 14/33
UNIT-V SYSTEM SECURITY
• From http://online.securityfocus.com/infocus/1288
• Create a virus-free start-up disk for your computer and keep it in a safe place.
• Sometimes an infected computer cannot be started. This does not mean that a
virus has deleted data from your hard drive; it only means that your operating
system cannot be loaded any more.
• To solve this problem, you should use a virus-free start-up diskette containing an
anti-virus program that has been developed for your operating system. This
diskette will help you to start your computer and delete any viruses in your
operating system.
• From http://online.securityfocus.com/infocus/1288
• Back up your files regularly.
• Although this rule will not protect against virus infection, it will allow you to
protect your valuable data in case your computer becomes infected (or, as an
added bonus, if you have any other problems with your hardware).
• It is advisable to back up your most valuable data using external media, such as
diskettes, MO disks, magnetic tapes, CDs, etc. In this case, whatever might
happen, you will always be prepared.
• From http://online.securityfocus.com/infocus/1288
• From http://security.oreilly.com/news/maliciouscode_0801.html
• Don't share your hard drive (disable file sharing on your hard drive).
• If you do need to provide some file and print sharing, don't give the keys to the
kingdom; use a password, and ONLY give the minimum that you have to a
directory (folder) is much better than giving all of the C:\, read only is better than
full access. If you have to give a C:\ administrative share, limit the number of
people who can use it.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 15/33
UNIT-V SYSTEM SECURITY
• There is a very simple way for Windows users to eliminate the threat of
"accidentally" executing a VBS attachment to an e-mail.
• By doing the following steps, if you ever "accidentally" click on a worm or virus
written in Visual Basic, it will pop open in notepad rather than executing.
[4] Scroll down until you see the .vbs file type.
[5] For each of them, highlight the entry and select "Edit."
[7] Change the "application use to perform action" from "wscript.exe" to the path
name for where "notepad.exe" is located. This is likely either
"C:windowsnotepad.exe" or "C:WINNTnotepad.exe." You can use the file find
feature to locate the proper path.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 16/33
UNIT-V SYSTEM SECURITY
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 17/33
UNIT-V SYSTEM SECURITY
FIREWALL
Every time corporate connects its Intranet to Internet and it faces potential danger, Due to
the openness of Internet there is a possibility of attack by the hackers and Intruders to
cause the harm to local computing Environment in no of ways like
Solution for all such types of threats and many more to build a firewall to protect
Intranet.
What is a firewall?
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 18/33
UNIT-V SYSTEM SECURITY
Advantages
• application/content-level filtering
Disadvantages
• introduce vulnerabilities
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 19/33
UNIT-V SYSTEM SECURITY
• All traffic between external and internal networks must go through the
firewall
• Firewall has opportunity to ensure that only suitable traffic goes back and
forth
Firewall Architecture’s
Bastion
Host
Intranet
Interne
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 20/33
UNIT-V SYSTEM SECURITY
Inner Outer
Barrier Barrier
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 21/33
UNIT-V SYSTEM SECURITY
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 22/33
UNIT-V SYSTEM SECURITY
• Firewall system should posses flexibility i.e. it must have ability to new
changes based on company’s policy
Firewalls Rules
• Questions to ask:
• Is there any trusted external hosts to which you want to give network
access?
• TCP and UDP: src/dest port, flags, SYN and ACK bits
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 23/33
UNIT-V SYSTEM SECURITY
• Interface name (FW may have more than one incoming/outgoing link
• ICMP
• More restricted rules comes first to avoid rules conflict and shadow
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 24/33
UNIT-V SYSTEM SECURITY
IP packet fitering firewall examines each and every incoming and outgoing
packet flowing through it by examining the specific field in IP datagram headers,
Firewall decides whether to allow the packet to come inside / go outside or
discard the packet
• Source Ip headers
• Destination IP headers
o protocol field
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 25/33
UNIT-V SYSTEM SECURITY
IP Packet
screening
router
Server
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg
Filtering/Scr 26/33
eening rules
Usenet e-mail Clien
UNIT-V SYSTEM SECURITY
As shown in above fig firewall router filters incoming and outgoing Packets based on the
security rules that are set at the time of configuring the firewall host based on the
company’s policies
e.g. If company doesn’t offer FTP services to outsiders then firewall is configured to
reject the request related with FTP
• Then the main process create a new process for each new connection.
New processes waits for client data on ports from 40001 to 41000.
• The main process send a reply to the client (in the payload of an UDP
packet) with port to use to connect to the dedicate process
• The client receive the packet, read the port (ex:40001) and send the next
packet to port 40001 of the same server
• With a stateless firewall, if you want to allow your server to work properly
with hosts outside your LAN you must open all port>1024
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 27/33
UNIT-V SYSTEM SECURITY
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 28/33
UNIT-V SYSTEM SECURITY
3. If TCP /UDP packet filtering is not implemented fully , it can lead to security
hole
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 29/33
UNIT-V SYSTEM SECURITY
In such type of firewall remote host or network can interact only with proxy server
(proxy application gateway) proxy server is responsible for hiding the details of
the Internal network ie Intranet. If the remote host is interested to avail the
facilities placed inside the company in that case first proxy authenticates remote
host/user then it creates the session between application gateway and the
Internal host and allows the transmission of packet as well maintain the log
details of user too.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 30/33
UNIT-V SYSTEM SECURITY
As shown in fig. Proxy application gateway is special server which runs on firewall
machine and user ie inside or outside if they have to share the data in that case they have
to divert the request to the proxy server proxy applies the security policy by
authenticating the user and then maintains or establishes the session between the end
users
3. Cost effectiveness
Hardened firewall hosts are similar to proxy application gateways and are
configured for increased security . This type of firewall requires inside or outside
user to connect to some trusted application running on firewall machine before
getting connected furthur. These firewalls are configured to protect against
unauthorized interactive logins from the external world
• Remove all users account except those are necessary for the operation of
firewall machine
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 31/33
UNIT-V SYSTEM SECURITY
Advantages:
• Concentration of security
Drawbacks:
AAA Security:
AAA
Security
Internet
Intranet
AAA Security works similar to Proxy application gateway in this too user must have to
get himself authenticated by security system for availing the facilities that are kept inside
or outside of the company ,ie its an compulsion over clients to get themselves logged on
Security system and then only they would be authorized for availing facilities based on
the policies set on the security system, after giving the authorization AAA system will
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 32/33
UNIT-V SYSTEM SECURITY
maintain the details data packet transaction for the purpose of further
accounting/auditing
¾ Two ways to approach the rule sets:
– Allow all except what is defined as unwanted
• Place roadblocks/watch gates along a wide open road.
– Deny all except what is defined as wanted
• Build a wall and carve paths for everyone you like.
¾ Problems:
– Firewalls as filters can be considered for most part to be infallible... but as a
security measure? They can only enforce rules (generally static)
• Crunchy on the outside, but soft and chewy on the inside.”
• Conclusions
– People don’t just put up a thick front door for their sensitive belongings, you
shouldn’t for your network either.
– Firewalls are an effective start to securing a network. Not a finish.
– Care must be taken to construct an appropriate set of rules that will enforce your
policy.
Compiled by: Mr. D. P. Mishra, Deptt. Of Computer Science & Engg, B. I. T. Durg 33/33
SET
(Secure Electronic Transaction)
1
Secure Electronic Transaction
3
SET Services
4
Summary of SET Participants
5
SET Participants ……………
8
SET Process….
9
SET Process….
10
SET Process….
12
How SET achieves its objective of
Confidentiality……….
• First aspect dealt with SSL as all information exchange
is done through SSL in encrypted format
• IInd aspect is important which is not achieved by SSL
I.e. protection of credit card no. from merchant
• So SET is very important as it hides credit card details
from merchant
• Concept of hiding credit card no from merchant is
based on digital enveloping
13
Digital Enveloping in SET
• SET S/W prepare PI(Payment information) on card
holders computer which contains credit card details
• Card holders computer now prepares one time session
key
• Using one time session key card holders computer
encrypts PI(Payment information)
• Now cardholders comp wraps one time session key
with public key of payment gateway to form a digital
envelope
• It then sends encrypted PI and digital envelope
together to the merchant who pass it to gateway
14
Important points
15
Eks(PI)
Payment
Merchant
Gateway
Ekupg(KS)
17
Purchase Request:
18
Step-I Initiate Request
1. Pl. send me your
digital certificate and
that of payment
gateway
Card
2. Here is my unique ID Merchant
Holder
to identify our
interaction and here is
my credit cards issuer
number
19
Step-II: Initiate Response
Here is my transaction
Card
ID and digital Merchant
Holder
certificates of payment
gateway and myself
20
Step-III: Purchase Request
OI- Order information
PI – Purchase Information
Here is My OI and PI
Card
Details along with Merchant
Holder
digital envelope
OI+E(PI)+E(SK)
21
Step-IV Purchase response
22
II. Payment authorization
This process ensures that the issuer of card approaches the
transaction
1. Purchase information
2. Authorization information
3. Card holders and my
certificate
Payment
Merchant
Gateway
Payment
Merchant
Gateway
24
III Payment Capture
Step-I: Capture request: Merchant generates sign and
encrypt capture request block that include payment
amount and transaction Id in encrypted format
1. Need payment for purpose
2. Transaction ID
3. Amount token
4. My digital certificate
Payment
Merchant
Gateway
Fig: Capture request for payment 25
Step-II: Capture response:
1. Payment authorized
2. Details of payment
3. Digital signature of PG
Payment
Merchant
Gateway
Fig: Capture response
26
Advantages
• Extremely secure
– Fraud reduced since all parties are
authenticated
– Requires all parties to have certificates
27
Problems with SET
28
That’s All !
Questions!
29
Electronic Money
E-Cash
1
E-Cash
2
Requirements for e-payments
• Atomicity
– Money is not lost or created during a
transfer
• Good atomicity
– Money and good are exchanged atomically
• Non-repudiation
– No party can deny its role in the transaction
– Digital signatures
3
Desirable Properties of E-Cash
• Universally accepted
• Transferable electronically
• Non-forgeable, non-stealable
• Private (no one except parties know the amount)
• Anonymous (no one can identify the payer)
• Work off-line (no on-line verification needed)
4
Types of E-payments
• E-cash
• Electronic wallets
• Smart card
• Credit card
5
E-cash Concept
Merchant
1. Consumer buys e-cash from Bank
2. Bank sends e-cash bits to consumer (after
5 charging that amount plus fee)
3. Consumer sends e-cash to merchant
4
4. Merchant checks with Bank that e-cash
Bank 3 is valid (check for forgery or fraud)
5. Bank verifies that e-cash is valid
6. Parties complete transaction: e.g., merchant
2 present e-cash to issuing back for deposit
1 once goods or services are delivered
6
Obtaining e-money from Bank
- Customer opens account with bank
C
U -When he needs money sends e-mail
S demanding money in encrypted format B
T A
O -Bank authenticates message and debits N
M customer AC K
E
-Banks sends money as computer file to
R
customer thus file is also encrypted
7
Making Purchase using E-money
C M
U - When customer wants to purchase E
S R
T C
O H
M A
E -He send the necessary file to merchant in N
R encrypted format T
8
Merchant paid from Bank
9
Security Mechanism in E-Money
$454545 E E ^^`A
Original Message Encrypt with banks Encrypt with customers Twice Encrypted data
private key public key
Fig: Bank sends Electronic Money to the customer after encrypting it twice
10
Customer receives money and
decrypts it
Customer
^^`A D D $454545
11
Electronic Cash Issues
• E-cash must allow spending only once
• Must be anonymous, just like regular currency
– Safeguards must be in place to prevent
counterfeiting
– Must be independent and freely
transferable regardless of nationality or
storage mechanism
• Divisibility and Convenience
• Complex transaction (checking with Bank)
– Atomicity problem
12
Advantages and Disadvantages of
Electronic Cash
• Advantages
– More efficient, eventually meaning lower prices
– Lower transaction costs
– Anybody can use it, unlike credit cards, and does
not require special authorization
• Disadvantages
– Tax trail non-existent, like regular cash
– Money laundering
– Susceptible to forgery
13
Electronic Cash Security
14
Past and Present E-cash Systems
• Checkfree
– Allows payment with online electronic checks
• Clickshare
– Designed for magazine and newspaper publishers
– Miscast as a micropayment only system; only one
of its features
– Purchases are billed to a user’s ISP, who in turn bill
the customer
15
Past and Present E-cash Systems
• CyberCash
– Combines features from cash and checks
– Offers credit card, micropayment, and check
payment services
– Connects merchants directly with credit card
processors to provide authorizations for
transactions in real time
• CyberCoins
– Stored in CyberCash wallet, a software storage
mechanism located on customer’s computer
– Used to make purchases between .25c and $10
16
Past and Present E-cash Systems
• DigiCash
– Trailblazer in e-cash
– Allowed customers to purchase goods and services
using anonymous electronic cash
• Coin.Net
– Electronic tokens stored on a customer’s computer
is used to make purchases
– Works by installing special plug-in to a customer’s
web browser
– Merchants do not need special software to accept
eCoins.
17
Past and Present E-cash Systems
• MilliCent
– Developed by Digital, now part of Compaq
– Electronic scrip system
– Participating merchant creates and sells own scrip
to broker at a discount
• Consumers register with broker and buy bulk
generic scrip, usually with credit card
• Customers buy by converting broker scrip to
vendor-specific scrip, i.e. scrip that a particular
merchant will accept
– Customers can purchase items of very low value
18
Electronic Wallets
19
An Electronic Checkout Counter Form
20
Electronic Wallets
• Agile Wallet
– Developed by CyberCash
– Allows customers to enter credit card and
identifying information once, stored on a central
server
– Information pops up in supported merchants’
payment pages, allowing one-click payment
• eWallet
– Developed by Launchpad Technologies
– Free wallet software that stores credit card and
personal information on users’ computer, not on a
central server; info is dragged into payment form
from eWallet
21
Electronic Wallets
• Microsoft Wallet
– Comes pre-installed in Internet Explorer 4.0,
but not in Netscape
– All information is encrypted and password
protected
– Microsoft Wallet Merchant directory shows
merchants setup to accept Microsoft Wallet
22
Entering Information Into Microsoft Wallet
23
Smart Cards
• Magnetic stripe
– 140 bytes
• Memory cards
– 1-4 KB memory, no processor
• Optical memory cards
– 4 megabytes read-only (CD-like)
• Microprocessor cards
– Embedded microprocessor
• (OLD) 8-bit processor, 16 KB ROM, 512
bytes RAM
• Equivalent power to IBM XT PC
• 32-bit processors now available 24
Smart Cards
• Plastic card containing an embedded microchip
• Available for over 10 years
• So far not successful in U.S., but popular in Europe,
Australia, and Japan
• Unsuccessful in U.S. partly because few card readers
available
• Smart cards gradually reappearing success depends
on:
– Critical mass of smart cards that support
applications
– Compatibility between smart cards, card-reader
devices, and applications
25
Smart Card Applications
• Ticketless travel
– Seoul bus system: 4M cards, 1B transactions
since 1996
– Planned the SF Bay Area system
• Authentication, ID
• Medical records
• Ecash
• Store loyalty programs
• Personal profiles
• Government
– Licenses
• Mall parking 26
...
Advantages of Smart Cards
• Advantages:
1.Atomic, debt-free transactions
2.Feasible for very small transactions
(information commerce)
3.(Potentially) anonymous
4.Security of physical storage
5.(Potentially) currency-neutral
27
Disadvantages of Smart Cards
• Disadvantages:
1.Low maximum transaction limit (not suitable
for B2B or most B2C)
2.High Infrastructure costs (not suitable for
C2C)
3.Single physical point of failure (the card)
4.Not (yet) widely used
28
Mondex Smart Card
30
Mondex transaction
• Placing the card in a Mondex terminal starts the
transaction process:
1. Information from the customer's chip is validated by
the merchant's chip. Similarly, the merchant's card
is validated by the customer's card.
2. The merchant's card requests payment and
transmits a "digital signature" with the request. Both
cards check the authenticity of each other's
message. The customer's card checks the digital
signature and, if satisfied, sends acknowledgement,
again with a digital signature.
31
Mondex transaction
32
Credit Cards
• Credit card
– Used for the majority of Internet purchases
– Has a preset spending limit
– Currently most convenient method
– Most expensive e-payment mechanism
• MasterCard: $0.29 + 2% of transaction value
– Disadvantages
• Does not work for small amount (too expensive)
• Does not work for large amount (too expensive)
• Charge card
– No spending limit
– Entire amount charged due at end of billing period 33
Payment Acceptance and Processing
34
Processing a Payment Card Order
35
Credit Card Processing
SOURCE: PAYMENT
PROCESSING INC.
36