Network Security

Van K Nguyen - HUT

Electronic Payment Systems: Overview

Agenda
 Electronic commerce concepts
 Electronic payment systems overview
 E-payment security
 Payment security services

 Material in this twin lecture is based on this

book: “Security Fundamental for Electronic
Commerce” by Vesna Hassler [Artech House and
Pedrick Moore, technical editor (2001) ]
Electronic commerce & secure
transactions
 E-commerce can be defined as any transaction involving
some exchange of value over a communication network
 Business-to-business transactions, such as EDI (e- data interchange)
 usually referred to as e-business
 Customer-to-business transactions, such as online shops on the Web
 customer-to-bank transactions as e-banking
 Customer-to-customer transactions, such as transfer btw e-wallets
 Customers/businesses-to-public administration transactions, such as
filing of electronic tax returns
 Also usually referred to as e-government.
 Here we care: Customer-to-business transactions
 on the electronic payment systems that provide a secure way to
exchange value between customers and businesses

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 3
Electronic Payment Systems
 E-payment systems evolved from traditional payment
systems
 Both have much in common
 But e-payment systems are much more powerful, because of the
advanced security techniques that have no analogs in traditional
payment systems.
 An e-payment system denotes any kind of network
service that provides the exchange of money for goods or
services:
 physical goods: books, CDs …
 electronic goods: e- documents, images, or music files
 traditional services: hotel or flight booking
 e-services, such as financial market analyses in electronic form

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 4
A typical e-payment system
 The provider runs a payment gateway
 reachable from the public network (Internet) and from a private
interbank clearing network.
 serves as an intermediary between the traditional payment
infrastructure and the e-payment infrastructure.
 In order to participate in, a customer and a merchant must
 be able to access the Internet
 register with the corresponding payment service provider.
 each have a bank account at a bank that is connected to the
clearing network.
 The customer’s bank is usually referred to as the issuer bank
 The term issuer bank denotes the bank that actually issued the payment
instrument (e.g., debit or credit card) that the customer uses for payment
 The acquirer bank acquires payment records (i.e., paper charge slips or e-data)
from the merchants
Information Security by Van K Nguyen
Sep 2010 Hanoi University of Technology 5
 A typical e-payment system
 On purchase of goods/services,
C pays a certain amount of
money to M with debit/credit card.
 Before supplying goods/services, M
asks gateway G to authorize C and his
payment instrument (card number …)
 G contacts the issuer bank to check.
 If all fine, money is withdrawn (or
debited) from the C’s account and
deposited in (or credited to) M’s
account
 G notifies of the successful payment to
the merchant  M supply the ordered
items to C.

 In some cases, e.g. for low-cost services, delivery can be made before
the actual payment authorization/transaction

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 6
Off-line vs. On-line
 Off-line systems: no current connections from the
customer/merchant to their respective banks
 M can’t authorize C with the issuer’s bank
 Also, it is difficult to prevent C from spending more money than

actually possesses
 most proposed Internet payment systems are online.
 Online systems:
 Require online presence of an authorization server, which can be
a part of the issuer or the acquirer bank.
 requires more communication, but it is more secure than off-line
systems
 However, off-line still possible e.g. in some e-cash systems
 using some special strong cryptographic tools

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 7
Debit-based vs. credit-based systems

 In a credit-based payment system (e.g., credit

cards) the charges are posted to the payer’s
account
 The payer later pays the accumulated amounts to the
payment service.
 In a debit-based payment system
 e.g., debit cards, checks
 the payer’s account is debited immediately, that is, as
soon as the transaction is processed

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 8
Micro vs. macro
 Macro-payment: relatively large amounts of money can
be exchanged
 Micropayment system: small payments
 e.g., up to 5 euros
 The order of magnitude plays a significant role in the
design of a system and its security policies.
 It makes no sense to implement expensive security protocols to
protect e- coins of low value.
 In such a case, should instead prevent large-scale attacks in which huge
numbers of coins can be forged or stolen.

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 9
Payment instruments
 Traditional payment instruments
 Paper money, credit cards and checks
 E-payment systems introduced new instruments:
 electronic money (also called digital money)
 electronic checks
 Two main groups of instruments
 cash-like: money taken from account before payment
 payer withdraws a certain amount of money (e.g., paper money, electronic
money) from his account
 check-like: after
 payer sends a payment order to the payee  the money will be withdrawn from the
payer’s account and deposited into the payee’s.
 The payment order: paper e.g., a bank-transfer slip, or an e-document e.g. an e-
check.


Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 10
Payment using credit cards
 Most popular
 The first credit cards were introduced decades ago (Diner’s Club
in 1949, American Express in 1958)
 Material
 For a long time, most are with magnetic stripes containing
unencrypted, read-only information
 Now, many are smart cards containing hardware devices (chips)
offering encryption and far greater storage capacity
 Recently even virtual credit cards (software electronic wallets),
such as one by Trintech Cable & Wireless

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 11
Typical credit card transaction
(1) C sends M credit card info (i.e., issuer, expiry date, number)
(2) M asks the acquirer bank A for authorization
(3) A checks with I - the issuer bank then A notifies M if approved.
(4) M send the ordered goods/services to C
(5a) M present the charge (or a batch of several transactions) to A

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 12
Typical credit
card transaction

(6) Settlement:
 A sends a settlement request to I; I places the money into an interbank settlement
account and charges the amount of sale to C’s credit card account.
(7) Notification
 At regular intervals (e.g., monthly) I notifies C of the transactions and their
accumulated charge
 C pays the charges by some other means (e.g., direct debit order, bank transfer,
check).
(5b) A has obtained the amount of sale from the interbank settlement
account and credited M’s account

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 13
Using credit cards: security problems
 Generally, fraudulent use of credit card numbers stems
from
 eavesdroppers
 dishonest merchants
 Credit card numbers can be protected against
 Eavesdroppers alone by encryption e.g. using SSL
 Dishonest merchants alone by using kind of pseudonyms of
credit card numbers
 Both eavesdroppers and dishonest merchants by encryption and
dual signatures

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 14
Electronic money
 Electronic representation of traditional money.
 A unit of e-money is usually referred to as an e- or digital coin
 Digital coins are “minted” i.e., generated by brokers
 If C wants to buy digital coins
 contacts a broker B, orders a certain amount of coins
 pays with “real” money
 C can make purchases from any M that accept the coins of that B
 M redeem at B’s the coins obtained from all C
 B takes back the coins and credits M’s account with real money.
 Typical electronic money transaction
 the issuer bank can be the broker at the same time.
 C & M must each have a current or checking account.
 The checking account: transition. form between the real money and e- money

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 15
Typical E-money transaction
(0) Coin withdrawal: C buys coins
and his checking account is
debited
(1) C uses the digital coins to
purchase in the Internet
(2) M sends C goods or services
 Since often used to buy low-value
services or goods M usually fills C’s
order before or even without payment
authorization

(3) Redemption: M then sends a request to the acquirer bank.

(4) Settlement: By using an interbank settlement mechanism similar,
the acquirer bank redeems the coins at the issuer bank and credits
M’s account with the equivalent amount

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 16
Electronic checks
 Electronic equivalents of traditional paper checks
 E-document that shows the following:
 Check number
 Payer’s name
 Payer’s account number and bank name
 Payee’s name
 Amount to be paid
 Currency unit used
 Expiration date
 Payer’s electronic signature
 Payee’s electronic endorsement

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 17
Typical e-check transaction
(1) C orders goods/services and
M sends back e- invoice
(2) As payment, C sends an
electronically signed e-check
 E-signature is a general term
that includes, among other
things, digital signatures
based on PKC
(3) As with paper checks, M
endorses the check

(4) Settlement: The issuer and the acquirer banks arrange transferring
the amount of sale from C’s account to M’s account.
(5) shipping/delivery

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 18
Electronic wallets

 Stored-value software or hardware devices

 loaded with specific value
 by increasing a currency counter
 by storing bit strings representing e-coins
 Current trend: using the smart card technology.
 CAFE project (Conditional Access for Europe, funded under the
European Community’s ESPRIT program
 a small portable computer with an internal power source
 a smart card
 Electronic money can be loaded online
 point-of-sale (POS) terminals

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 19
Smart card technology
 Plastic card with embedded microprocessor and memory
 used as either a credit card
 storage of electronic money or an electronic check device
 combination
 Smart card-based electronic wallets
 reloadable stored-value (prepaid) cards, for small payments
 Owner’s account is debited beforehand
 The owner can load the card at an ATM
 Shops with corresponding card readers at the cash register
 Examples
 Austrian Quick1 and Belgian Proton systems
 SET (Secure Electronic Transactions), an open specification for
secure credit card transactions over open networks
Information Security by Van K Nguyen
Sep 2010 Hanoi University of Technology 20
Electronic Payment Security
 The security problems of traditional payment systems
 Money can be counterfeited
 Signatures can be forged;
 Checks can bounce.
 Electronic payment systems have the same problems
and further:
 Digital documents can be copied perfectly and arbitrarily often
 Digital signatures can be produced by anybody who knows the
private key
 A payer’s identity can be associated with every payment
transaction

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 21
Electronic Payment Security
 E-commerce can not be widespread without additional
security measures which enable e-payment systems
 A properly designed e-payment system can provide better
security than traditional payment systems
 Three types of adversaries can be encountered:
 Outsiders eavesdropping and misusing the evavesdropped
data(e.g., credit card numbers)
 Mallicious attackers sending forged messages to authorized users
 cause abnormal system functioning
 or to steal the assets exchanged (e.g., goods, money)
 Dishonest users trying to obtain and misuse unauthorized
payment transaction data

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 22
Basic security requirements for e-
payment systems
 Payment authentication
 Both payers and payees must prove their payment identities
 This not necessarily imply that a payer’s identity is revealed(as if
anonymity is required)
 Payment integrity
 Payment transaction data cannot be modifiable by unauthorized
principals
 Payment authorization
 Ensures that no money can be taken from a customer’s account
or smart card without his explicit permission
 Payment confidentiality

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 23
Payment Security Services
 Satisfying the security requirements of E-payment
system more than just communications security
services
 a payment system may have conflicting security
requirements
 E.g. wants anonymity for digital coins, but require identification of
double-spenders.
 an e- payment system for high-value transaction need a
more elaborate (so more expensive) security policy than
micropayment
 Payment security services fall into three main groups
depending on the payment instrument used.
Information Security by Van K Nguyen
Sep 2010 Hanoi University of Technology 24
(Payment) transaction security
services
 User anonymity
 protects against disclosure of a user.s identity in a network transaction;
 Location untraceability
 protects against disclosure of where a payment transaction originated;
 Payer anonymity
 protects against disclosure of a payer’s identity in a transaction;
 Payment transaction untraceability
 protects against linking of two different transactions of the same customer
 Confidentiality of payment transaction data
 selectively protects against disclosure of specific parts of transaction data to selected
principals from the group of authorized principals;
 Nonrepudiation of payment transaction messages
 protects against denial of the origin of transaction messages
 Freshness of payment transaction messages
 protects against replaying of payment transaction messages.

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 25
Digital money security

 Protection against double spending

 prevents multiple use of electronic coins
 Protection against forging of coins
 prevents production of fake digital coins by an
unauthorized principal
 Protection against stealing of coins
 prevents spending of digital coins by unauthorized
principals

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 26
E-check security
 The third group of services is based on the techniques
specific to payment systems using electronic checks as
payment instruments. There is an additional service
typical of electronic checks:

 Payment authorization transfer (proxy).makes possible the

transfer of payment authorization from an authorized principal to
another principal selected by the authorized principal.

Information Security by Van K Nguyen

Sep 2010 Hanoi University of Technology 27