Professional Documents
Culture Documents
Table of content:
Introduction..... How Online Payment Processing Works. Technologies used for online payment security.. Technologies used by PayPal... Security Flaws... Conclusion. Page 3 Page 4 Page 6 Page 8 Page 9 Page 11
Introduction:
Technology is the basis of our lives. Because of the fast evolution of technology, we depend on it every day. Many people use the internet and computers to do their everyday tasks such as checking their e-mails, paying their bills and buying and selling of goods and services. The growth of the internet has made it an ease for consumers to find their items of purchase, but is no longer cash a viable way for payment. This increase in e-commerce has driven the need to create online payment systems. There are many online payment systems that exist today, for example: of them, PayPal is probably the most popular system. PayPal is an account-based system that allows everyone with an e-mail address to securely send and receive online payments using a credit card or a bank account number. Today there are many websites that accept PayPal as a method of online payment. PayPal uses secure sockets layer Protocol technology to encrypt data and increase security.
Institutions Customer Issuing Bank : The institution providing the customers credit card. Acquiring Bank :
Provides the internet merchant accounts required to enable online card authorization and payment processing.
Credit cards Associations : Financial institutions that provide credit card services in concert with credit
card associations such as visa and master card.
Processor : A large data centre that processes credit card transactions and settles funds for merchants. A
processor can either be a bank or a company dedicated to providing these services.
Settlements: Processing authorized transactions to settle funds into a merchants account. Payment Processing Service: A service that connects merchants, customers and banks involved in
online transactions. Sometimes it is referred as the payment gateway.
4. Processor routes information to bank that issued customers credit card. 5. Issuing bank sends authorization (or declination) to processor. 6. Processor routes transaction results to payment processing service. 7. Processing service sends results to merchant. 8. Merchant decides to accept or reject purchase.
Next step: Payment Processing Settlement. Once the merchant has shipped the physical product or authorized the download of digital content, the merchant may request that the payment processing service settle the transaction. During settlement, funds are transferred from the customers account to the merchants bank account, as illustrated below. 1. The merchant informs the payment processing service to settle transactions. 2. The payment processing service sends transactions to processor. 3. The processor checks the information, and forwards settled transaction information to the card association and card-issuing bank. 4. Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank. Funds received for these transactions are sent to the merchants bank account. 5. Acquiring bank credits merchants bank account. 6. Issuing bank includes merchants charge on customers credit card account.
SSL version 1, a test version, was quickly replaced by SSL version 2 which was the first version , released to the public and was shipped with the Netscape Navigator Browser. Today
6
version 2 is still supported despite having some security problems. Later, Microsoft came out with its own latest version of SSL called the PCT. SSL version 3 is a complete redesign of SSL and fixes the problem found in the previous versions as well as having additional features. What is the purpose of SSL ? The purpose of SSL is to provide a means to allow secure communication between two parties. However, one party must have a certificate trusted by the other in order to help to prevent man in the middle of the attacks. SSL also supports encryption, authentication and key exchange. How does the SSL work? SSL provides with a security handshake in which the client and the server computers exchange a brief burst of messages. In these messages, they agree upon the level of security they will use to exchange digital certificates and perform other tasks. Each computer unfailingly identifies the other. It is not a problem if the client does not have a certificate, because the client is the one who is sending sensitive information. On the other hand, the server with whom the client is doing is ought to have a valid certificate. Otherwise the client cannot be certain that the commerce site actually belongs to the one whom it refers to. How is SSL implemented? A website implements SSL by using HTTPS, which implies for Hypertext Transfer Protocol over Secured socket Layer. This web protocol was developed by Netscape to encrypt and decrypt page requests as well as the pages that are returned by the web server. HTTPS uses port 443 instead of port 80 which is used for HTTP. SSL uses a key size of 40 bits for the RC4 stream encryption algorithm. This is considered as a sufficient degree of encryption for commercial exchange. Both HTTPS and SSL support the use of x.509 digital certificates from the server. This way the user can authenticate the user if needed. One of SSLs strength is its ability to help to prevent some common attacks.SSL is strong against brute force attack because it uses 128 bits. The dictionary attack which tends to be more efficient than a brute force attack is where an attack tries every word in a dictionary as a possible password for an encrypted message. This attack is also avoidable because SSL has very large key spaces. The replay attack which re-runs messages that were sent earlier is prevented since SSL uses 128 bit ounce value to indicate a unique connection. And as mention earlier the man-in-the middle attack is prevented by using some signed digital certificates to authenticate the servers public key. Despite the fact that SSL has the ability to defend some common attacks, it stills as some weaknesses. One of the weaknesses found in SSL is the brute force attack against weak ciphers. This weakness was forced by the US export on Netscape. This weakness still remains one of the most obvious weaknesses of the SSL protocol and it has broken many times.
Another weakness in SSL is the renegotiation of the master key. It is known that after a connection has been established, the same master key get used all the way through the connection. This could be a serious security flaw if SSL are layered underneath a long running connection. One possible solution for this flaw is to force recognition of the master key at different times. This way, the difficulty and the cost of any brute force attack will be multiplied by the number of times that the master key has changed. TLS: The transaction layer protocol ,commonly known as the TSL, is based SSL and will soon be its successor.TSL has some changes in its MAC, has clearer and more precise specifications, cleaner handling because of not having a client certificate, and more flexibility. SET: Set is a messaging protocol designed by VISA and MasterCard for securing credit card transactions over open networks such as the Internet. In the SET protocol, a transaction has three players the customer, the merchant and the merchants bank. SET protocol has three principle features as listed in the following: All sensitive information sent within the three parties is encrypted. All three parties are required to authenticate themselves with certificates from the SET certificate authority. The merchant never sees the customers card number in plain text.
The third feature actually makes internet commerce more secure than traditional credit card transactions, such as pay by credit in-store, over phone, or through mail order form. It is also more secure than SSL. To implement SET in e-commerce on Internet, it requires the SET point-of-sale client software such as SET electronic wallet implemented widely available to the Internet community.
SSL : According to the PayPal website, PayPal encrypts information sent to their website using SSL. It uses an encryption key that is 128-bits long, which is currently the most secured level being used today. Before proceeding, the server checks whether or not the users browser uses SSL 3.0 or higher. PayPal also uses an electronic firewall to protect its data from the internet. Their servers are behind the firewalls and are not directly connected to the internet in order to protect private information from unauthorized computers.
The scam was discovered in late 2002 when a group of people received the following e-mail:
This scam is dangerous because hackers obtain passwords by using false e-mail messages. Third parties hack PayPal accounts, using the passwords obtained, and then log in the account to steal money. They send false e-mails to PayPal users leading them to that the e-mails were sent by PayPal when they are not. Web Spoofing and Client Certificates:
In the e-mail scam shown before, the link is not a PayPal site. Although the link shown is a PayPal site, after clicking on it, the address for the link appears to be different. This may go unnoticed to nave users because the content and images are very similar to the PayPals website. The problem with this is when the user logs in to their account to prevent their account to be cancelled. Since this website is not authentic, the user submits their username and their passwords to an unknown third party. This third party is then able to store the username and password into a database to cause damage to the users accounts. The use of client certificates would help stop web spoofing. However, client side certificates are hardly used, so the practicality of this is not great. PayPal should also protect the images that are displayed on their website such that it cannot be saved or used by the public. This would help prevent attackers from stealing the images to create pages that mirror PayPal in its appearance. 10
Login Attempts: PayPals security relies heavily on user passwords. Although they limit the number of attempts to login, the limit seems pretty high. PayPal limits login attempts to ten accesses before locking the account. While the chances of attackers using brute force to break into account is rather slim, the opportunities are greater than other websites in which a user is limited to three attempts. This is a very significant security issue. If an attacker is able to access a users account, he can wreak havoc by stealing money from the user. An initial solution to this problem is to decrease the limit of login attempts. In addition, PayPal should have another layer of protection after entering a correct password, such as a question that requires a correct answer similar to what is done for password retrieval. Possible Solution:
Other solution that would help with online payment security involves the user to be alert at all times. One possible way to prevent thieves from stealing is to never trust any e-mail coming from PayPal and never click on a link that would take you directly to PayPal from an e-mail. So instead of clicking on the link, its better to go to the website by typing the websites URL. Also it is a good idea to make sure that the URL entered contains https://
Digital Signature: A digital signature is a digital code that is attached to a message that wants to get sent electronically. The digital code identifies the sender of the electronic message. The digital signature technology is a way to prove that the sender of the electronic message is really who claims he is. Thus it is really important that the digital signatures are protected and unbreakable. Conclusion : Technology has inarguably made our lives easier. It has cut across distance, space and even time. One of the technological innovations in banking, finance and commerce is the Electronic online Payments. Online Payments refers to the technological breakthrough that enables us to perform financial transactions electronically, thus avoiding long lines and other hassles. Online Payments provides greater freedom to individuals in paying their taxes, licenses, fees, fines and purchases at unconventional locations and at whichever time of the day, 365 days of the year. On the basis of present study, first remark is that despite the existence of variety of e-commerce paymentsystems, credit cards are the most dominant payment system. This is consequences of advantageous characteristics, most importantly the long established networks and very wide users base.
11
12