L8 (Epayment)

Bachelor of Computer Science
SCS2214 - Information System Security
Handout 8 - ePayment Protocols
Kasun de Zoysa
[email protected]
UNIVERSITY OF COLOMBO SCHOOL OF COMPUTING

Characteristics of Payments
Properties :
•where is the money (authorization)
•time of payment vs. time of order/shopping
Characteristics of payment methods :

Money Time
Type
Cashof payment with Customer at Purchase
Debit card in Bank at Purchase
Credit card in Bank after Purchase
Invoice in Bank after Purchase
Pre-paid with Merchant before Purchase
Subscription with Merchant before Purchase
Information Security Friday, January 15, 2021 2

Internet transactions
Type of payment Money Time

Cash with Customer at Purchase
download deposit
Bank
store
transfer
Customer Merchant

Internet Transactions
Money Time
payment
Bank
authorization
authorization
Customer Merchant
Internet Transactions
Type of payment Money Time

payment
Bank
Authorization/payment
Customer Merchant

Types of Digital Payments
Characteristics :
– where is the money (authorization)
– time of payment vs. time of order
Types of digital payments :
1. Digital cash
2. Stored money (micropayments)
3. eCheck
4. eMoney order
5. Debit payment
6. Credit payment
7. Invoice / payment order
8. At delivery (pay-per-view)
9. Subscription

Digital cash
010110101101010111010110101
011010110101011010110101011
010101101010110111101011111
011010000000110101010110101
Since digital cash is represented by data, it is

easily replicated. How do we prevent:
– Counterfeiting?
– Multiple spending?

What is a digital cash token?
Unique identifier
Bit
Value attribute Prevents
string
spending more
Bank digital signature than once
Prevents
counterfeiting

Digital cash must be deposited
Hard currency Digital cash
Consumer wallet Consumer

smartcard
Merchant Merchant
Withdraw
as new
digital cash
Spend Deposit Deposit

Possible characteristics of digital cash
• Anonymity of consumer
– Merchant knows who paid, but that information is
not inherent to the digital cash itself
– Financial institution knows what merchant
deposited
• Attribution of cheating
– Double spending
• Authorized traces

Spending anonymity
Create $$,
including identifier
Repeat n times
Cut and choose one Blind

signature
If the consumer’s software creates the digital

cash, and the bank signs it blindly, the bank
will not see the identifier. The cut and choose
protocol assures the bank the $$ is proper.

What is a Blind Signature?
Blind signature scheme is a protocol that allows the

provider to obtain a valid signature for a message m
from the signer without him seeing the message
and its signature.

Blind signature analogy
Consumer gets bank to sign cash

Carbon token without observing contents
Token
$$ $$
Remove token
Present to
from envelope
Put token and carbon bank for
in envelope embossing

Cut and choose protocol
$$ Randomly
$$
$$ $$ choose one,
$$
$$ check others
$$ Blind
signature
Although the bank can’t see what it is

signing, with the cut and choose the
incentive for the consumer is to generate
legitimate instances of digital cash.

eCheck
What are electronic checks?

•Checks, without the paper
•Bank payments, secure enough for the Internet
•Digitally signed promises to pay
Significance
•New payment alternative for business commerce
•It’s real, and working today
•It’s interoperable, with multiple providers
•It fits and enhances existing business practices
•It extends checking into the 21st century

eCheck

Electronic credit and debit
• Standard authentication, confdentiality,

and non-repudiation techniques can be
used
– Asymmetric encryption and certifcates
• Framework must take into account
different institutions involved
• Example: Secure Electronic
Transactions (SET) of Visa/Mastercard

Risk in using Credit cards
• Customer uses a stolen card or account number

to fraudulently purchase goods or service online
• Family members use bankcard to order goods/

services online, but have not been authorized to
do so.
• Customer falsely claims that he or she did not

receive a shipment
• Hackers fnd the ways into an e-commerce

merchant’s payment processing system and
then issue credits to hacker card account
numbers.

Risk in using Credit cards
Extra protection when there's no card

Card-not-present (CNP) merchants must take extra precaution against
fraud exposure and associated losses. Anonymous scam artists bet on the
fact that many Visa fraud prevention features do not apply in this
environment. Follow these recommendations to help prevent fraud in your
card-not-present transactions.
Quick steps to ensure against CNP fraud

Obtain an authorization.
Verify the card's legitimacy:
Ask the customer for the card expiration date, and include it in your
authorization request. An invalid or missing expiration date might indicate
that the customer does not have the actual card in hand.
Use fraud prevention tools such as Visa's Address Verification Service (AVS),
Card Verification Value 2 (CVV2), and Verified by Visa.

Credit/Debit Card Payments
Issuer Acquirer
Bank Bank
Interbank (clearing) network
3 Authorization
6 Settlement
7 Notification Interbank settlement

account 2 Auth 5 Charges
1 Credit card info
Customer Merchant
(Payer) (Payee)

Credit Card Protocols
• SSL 1 or 2 parties have private keys VERY IMPORTANT.

• TLS (Transport Layer Security) USAGE INCREASING
– IETF version of SSL
• i KP (IBM) i parties have private keys

• SEPP (Secure Encryption Payment Protocol)
– MasterCard, IBM, Netscape based on 3KP OBSOLETE
• STT (Secure Transaction Technology)
– VISA, Microsoft
• SET (Secure Electronic Transactions)

– MasterCard, VISA all parties have certifcates
 3D Secure VERY SLOW
ACCEPTANCE

SSL (Secure Sockets Layer)
• NOT a payment protocol -- can be used for any secure

communications, like credit card numbers
• SSL is a secure data exchange protocol providing
– Privacy between two Internet applications
– Authentication of server (authentication of browser optional)
• Uses enveloping: RSA used to exchange DES keys
• SSL Handshake Protocol
– Negotiates symmetric encryption protocol, authenticates
• SSL Record Protocol
– Packs/unpacks records, performs encryption/decryption
• Does not provide non-repudiation

Internet Transactions (Insecure?)
The Internet SSL
Merchant
Customer 3) Send the credit card detail
8) Send Confirmation
E-Commerce Servers
11) Send a credit card bill
12) Pay the bill

1) Request a credit card
CGI, JSP, ASP..

2) Send a credit card
9) Shipment
4) Request Authorization
7) Authorization Status
5) Request Authorization
6) Authorization Status
10) Transfer Money

Customer’s Bank Merchant’s Bank
Banking Network
Secure Credit Card Payments (SSL)
The Internet SSL
Merchant
Customer Problems :
- customer’s authenticity
E-Commerce Servers
- impersonation
- server’s authenticity CGI, JSP, ASP..
- fraud at ME server
- non-repudiation
Transfers :
Transfers :
- private lines
- Manual/WWW Banking Network - FTP
- proprietary - proprietary
products products
Problems : Problems :
Problems :
- non-standard - non-standard
- insecure? •Expensive to maintain - insecure?
•Close networks
•Insecure products???
Secure Electronic Transaction (SET)
• Developed by Visa and MasterCard

• Designed to protect credit card
transactions
• Confdentiality: all messages encrypted
• Trust: all parties must have digital
certifcates
• Privacy: information made available
only when and where necessary

SET Objectives
• Confdentiality of payment and order information

– Encryption
• Integrity of all data (digital signatures)
• Authentication of cardholder & account (certifcates)
• Authentication of merchant (certifcates)
• No reliance on secure transport protocols (uses TCP/IP)
• Interoperability between SET software and network
– Standardized message formats
• SET is a payment protocol
– Messages relate to various steps in a credit card transaction

Participants
• Consumer (cardholder)
• Merchant
• Acquirer: fnancial institution acting as
transaction clearinghouse for merchant
• Issuer: fnancial institution that issued
consumer credit/debit card
• Association: Visa or Mastercard

SET Certifcation System
CH
PGW
ME
PGW
Cardholder Merchant Pay-Gateway

Secure Electronic Transactions (SET)
Issuer Acquirer
Bank Bank
Open
Internet
Network
Shopping
and payments Authorizations
and captures
Consumers Consumers
Corporate
Corporate (E-malls)
Payment
Customers Merchants Gateways

SET Payment System
Cardholder Merchant Payment

Gateway
PInitReq
PInitRes
PReq AuthReq
AuthRes
PRes
CapReq
CapRes

SET PReq Message
Cardholder Merchant Payment

Gateway
Order CC CC
ME PGW
Order Sign Payment (CC) Sign DoubleSign

Dual Signatures
• Links two messages securely but allows only one party to read each.
MESSAGE 1 MESSAGE 2
HASH 1 & 2
WITH SHA
CONCATENATE DIGESTS
TOGETHER
DIGEST 1 DIGEST 2
HASH WITH SHA TO

CREATE NEW DIGEST
NEW DIGEST
ENCRYPT NEW DIGEST

PRIVATE KEY WITH SIGNER’S PRIVATE KEY
DUAL SIGNATURE

Dual Signature for SET
• Concept: Link Two Messages Intended for Two Different

Receivers:
– Order Information (OI): Customer to Merchant
– Payment Information (PI): Customer to Bank
• Goal: Limit Information to A “Need-to-Know” Basis:
– Merchant does not need credit card number.
– Bank does not need details of customer order.
– Afford the customer extra protection in terms of privacy by
keeping these items separate.
• This link is needed to prove that payment is intended for this
order and not some other one.

Why Dual Signature?
• Suppose that customers send the merchant two messages:

• The signed order information (OI).
• The signed payment information (PI).
• In addition, the merchant passes the payment information
(PI) to the bank.
• If the merchant can capture another order information (OI) from
this customer, the merchant could claim this order goes with the
payment information (PI) rather than the original.

Dual Signature Operation
• The operation for dual signature is as follows:

– Take the hash (SHA-1) of the payment and order information.
– These two hash values are concatenated [H(PI) || H(OI)] and then the
result is hashed.
– Customer encrypts the final hash with a private key creating the
dual signature.
DS = EKRC [ H(H(PI) || H(OI)) ]

DS Verifcation by Merchant
• The merchant has the public key of the customer obtained from
the customer’s certifcate.
• Now, the merchant can compute two values:
H(PIMD || H(OI))
DKUC[DS]
• Should be equal!

SET Overhead
Simple purchase transaction:

• Four messages between merchant and customer
• Two messages between merchant and payment gateway
• 6 digital signatures
• 9 RSA encryption/decryption cycles
• 4 DES encryption/decryption cycles
• 4 certifcate verifcations
Scaling:
• Multiple servers need copies of all certifcates

SET Advantages/Disadvantages
Advantages :
– strong cryptography
– strong / complete security services
– complete system (all parties involved)
– full functionality (payments, authorizations, captures,
credits, inquiries, batches, etc.)
– “standardized”
– scalable (certification infrastructure)
Disadvantages :
– global system (“all-or-nothing”)
– “heavy-weight” components
– “privately” owned (VISA, MasterCard)
– credit cards payments only
– early implementations complicated
– “ahead of time” (user requirements, problems)

3-D Secure
• Idea: authenticate user without a certifcate

• Requires the user to answer a challenge in real-time
• Challenge comes from the issuing bank, not the merchant
• Issuing bank confrms user identity to merchant

Overview of 3-D Secure

How Does 3-D Secure Work

3-D Secure (1)
1. Customer enters details at

merchant site Active Merchant
Merchant
Customer 3-D Secure
Acquirer Plug-in
Merchant Plug-in
2. Merchant Plug-in checks card issuer

participation with VISA directory
3. VISA directory checks card

participation with issuer Visa
Directory
3-D Secure
Access Control Payment
Server Visanet Gateway
Issuer Acquirer
SOURCE: KMIS

3-D Secure (2)
6. Merchant Plug-in redirects

customer’s browser to issuer’s Access
Active Merchant
Customer
Control Server with transaction details
3-D Secure Merchant
Merchant Plug-in Acquirer Plug-in
5. Location of issuer’s Access Control

Server sent to Merchant Plug-in
4. Issuer confirms card
participation Visa
Directory
3-D Secure
Issuer Acquirer
SOURCE: KMIS

3-D Secure (3)
Active Merchant
Custome 3-D Secure Merchant
r
7. Issuer’s Access Control
Server requests username
and password from
customer
8. Customer presents
password into issuer system Visa
Directory
9. Issuer’s Access Control
Server validates password,
signs response and redirects
customer to Merchant Plug-
in
3-D Secure
Issuer Acquirer
SOURCE: KMIS

3-D Secure (4)
14. Merchant confirms transaction

Active Merchant
Customer
and issues receipt to customer
3-D Secure Merchant
13. Acquirer
sends transaction
response back to
merchant
10. Merchant
Visa submits normal
Directory transaction to
acquirer
11. Acquirer sends authorization requests to issuer

3-D Secure via Visanet
Issuer 12. Issuer sends authorization response to acquire Acquirer
via Visanet

Features of 3-D secure
• Payment Authentication
– Issuers to verify that the person involved in e-commerce is a authorized
cardholder.
– Improved transaction performance to beneft all participants
– Increase consumer confdence
• Support variety of Internet access devices

– Personal Computer
– Mobile Phones
– Personal Digital Assistants

Beneft of 3-D Secure
• Beneft for Cardholder

– Increased Customer confdence
– No Application software is needed
– Easy to use
• Beneft for Merchants

– Ease of integration into merchant system
– Reduce risk of fraudulent transaction
– Decrease in disputed transactions

eMoney Order
• Advantages
– Easy to access
• A large number of post offces & banks
are available all over the country.
– Easy to understand
• Not a completely new system.
This is an enhancement to the existing system.
– Save the money within the country
• In using credit cards, commission has to
paid to International Credit Card companies

eMoney Order : How does it work?
•A persons goes to the nearest post office

•Pay the required amount and buy the eMoney order
•Send the number in the eMoney order together with
other details in the web form.

Trusted Cheque protocol (TCP)

M-ATM (Mobile ATM)
Provide effient sefured soluton for the barriers of using

ATM with support of mobile phones
ATM Mafhine Mobile Phone
ATM Card SIM Card Java Card)
Bank Network Mobile Network

Problems
Bank’s Perspeftve
* Secure connecton is needed
* Skilled staf to maintain ATM
* Security risk
- protect against thef
* Inital capital of deploying ATM
- very high
Customer’s Perspeftve
* Not very common in rural areas.
* Users have travel more to ATM
* Security risk
* Special plastc card involved in transacton
Overall Architecture
6
1
3
2
8 7
4 Random No
No
5
5

Discussion

L8 (Epayment)

Uploaded by

Copyright:

Available Formats

L8 (Epayment)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

L8 (Epayment)

Uploaded by

Copyright:

Available Formats

Bachelor of Computer Science

SCS2214 - Information System Security

Handout 8 - ePayment Protocols

UNIVERSITY OF COLOMBO SCHOOL OF COMPUTING

Characteristics of payment methods :

Information Security Friday, January 15, 2021 2

Type of payment Money Time

Information Security Friday, January 15, 2021 3

Type of payment Money Time

Information Security Friday, January 15, 2021 5

Information Security Friday, January 15, 2021 6

Since digital cash is represented by data, it is

Information Security Friday, January 15, 2021 7

Information Security Friday, January 15, 2021 8

Hard currency Digital cash

Consumer wallet Consumer

Information Security Friday, January 15, 2021 9

Information Security Friday, January 15, 2021 10

Cut and choose one Blind

If the consumer’s software creates the digital

Information Security Friday, January 15, 2021 11

Blind signature scheme is a protocol that allows the

Information Security Friday, January 15, 2021 12

Consumer gets bank to sign cash

Information Security Friday, January 15, 2021 13

Although the bank can’t see what it is

Information Security Friday, January 15, 2021 14

What are electronic checks?

Information Security Friday, January 15, 2021 15

Information Security Friday, January 15, 2021 16

• Standard authentication, confdentiality,

Information Security Friday, January 15, 2021 17

• Customer uses a stolen card or account number

• Family members use bankcard to order goods/

• Customer falsely claims that he or she did not

• Hackers fnd the ways into an e-commerce

Information Security Friday, January 15, 2021 18

Extra protection when there's no card

Quick steps to ensure against CNP fraud

Information Security Friday, January 15, 2021 19

7 Notification Interbank settlement

1 Credit card info

Information Security Friday, January 15, 2021 20

• SSL 1 or 2 parties have private keys VERY IMPORTANT.

• i KP (IBM) i parties have private keys

• SET (Secure Electronic Transactions)

Information Security Friday, January 15, 2021 21

• NOT a payment protocol -- can be used for any secure

Information Security Friday, January 15, 2021 22

12) Pay the bill

CGI, JSP, ASP..

10) Transfer Money

• Developed by Visa and MasterCard

Information Security Friday, January 15, 2021 25

• Confdentiality of payment and order information

Information Security Friday, January 15, 2021 26

Information Security Friday, January 15, 2021 27

Cardholder Merchant Pay-Gateway

Information Security Friday, January 15, 2021 28