E-Commerce Security and Privacy

Online banking and electronic commerce have become an everyday reality for millions of users. Almost every large banking institution offers services such as account management, fund transfers, automatic payments, and investments through the Internet. The quality of the provided services has become a driving factor in user selection of a banking institution. Given the critical nature of the services provided, banks and financial institutions are investing substantial resources in the implementation of sophisticated financial applications that are appealing to the end-user. In the design and implementation of these applications developers face a trade-off between user-friendliness and security.

This chapter presents an example outlining the process and results of a software security risk analysis. Unlike other types of security risk analyses, a software security analysis focuses on the design and implementation of the online application rather than the network and physical environment in which the application is deployed. An example is used to illustrate the benefits of a software security risk analysis and demonstrate how software security extends and complements conventional security and business risk analyses.

By 2004, there is expected to be over 1 billion wireless device sub-scribers. The future of e-commerce appears to be headed straight for mobile e-commerce (m-commerce). Today’s workers want to be un-tethered from their desktops with the freedom to communicate with anyone, anywhere, anytime. To this end, current wireless platforms are integrating voice telephony, data, and streaming multimedia in multifunction rich-content capable devices. In the future, code will be exchanged transparently with data over wireless links. Wireless devices will have the processing power and memory of today’s desktop workstations. Wireless devices will have direct connections to file servers and network services behind the corporate firewalls. Furthermore, wireless devices will have the ability to ship and execute mobile and itinerant code such as software agents that act on the user’s behalf. The security and privacy concerns are paramount for consumers and businesses. In this chapter, we describe the key security concerns in mobile e-commerce and avenues for addressing them.

Nothing works. Despite repeated attempts by FedEx employees and customers around the globe, suddenly no information is available. Everything was fine a few moments ago, but now the company, which delivers more than three million express packages to 210 countries each working day, has had its worldwide operations crippled by a failure of its information system.¹ Unbeknownst to FedEx officials, the debilitating disruption in its ability to move goods around the globe is the result of a “denial of service attack” by an unknown criminal hacker.²

While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore, security and privacy policies are either developed as an afterthought to the system or not at all. One reason for this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise—s security policy and privacy policy. Consequently, we tailor our goal-based approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Our integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.

Suppose that Bob has a databaseDand that Alice wants to perform a search queryqonD(e.g., “isqinD?”).Since Alice is concerned about her privacy, she does not want Bob to know the queryqor the response to the query. How could this be done? There are elegant cryptographic techniques for solving this problem under various constraints (such as “Bob should know neitherqnor the answer to the query” and “Alice should learn nothing aboutDother than the answer to the query”), while optimizing various performance criteria (e.g., amount of communication).

We consider the version of this problem where the query is of the type “isq approximatelyinD?”for a number of different notions of “approximate”, some of which arise in image processing and template matching, while others are of the string-edit type that arise in biologicalsequence comparisons. New techniques are needed in this framework of approximate searching, because each notion of “approximate equality”introduces its own set of difficulties; using encryption is more problem-atic in this framework because the items that are approximately equal cease to be so after encryption or cryptographic hashing. Practical pro-tocols for solving such problems make possible new forms of e-commerce between proprietary database owners and customers who seek to query the database, with privacy.

We first present four secure remote database access models that are used in the e-commerce, each of which has different privacy requirement.We then present our solutions for achieving privacy in each of these four models.

This chapter presents a generic belief logic and demonstrates how it can be used to reason about accountability in cryptographic protocols for electronic commerce. First, we explain why the analysis of accountability properties can be treated in terms of belief. Different from other logics that have been proposed earlier to deal with accountability, our logic uses more general logical terms to deal with accountability, instead of the specific predicate “canprove”. We argue that the essence of accountability is actually the ability to “make” someone “believe” something, and the notion of “make” is just another modal operator in a generic belief logic. We then describe our belief logic and present an axiomatization system for analyzing cryptographic protocols for e-commerce. Finally, we illustrate with two examples how our logic can be used for our intended purpose.

Past generations of access control systems, when faced with an access request, have issued a “yes” (resp. “no”) answer to the access request resulting in access being granted (resp. denied). In this chapter, we ar­gue that for the world’s rapidly proliferating business to business (B2B) applications and auctions, “yes/no” responses are just not enough. We propose the notion of a “provisional authorization” which intuitively says “You may perform the desired access provided you cause condition C to be satisfied.” For instance, a user accessing an online brokerage may receive some information if he fills out his name/address, but not otherwise. While a variety of such provisional authorization mecha­nisms exist on the web, they are all hardcoded on an application by application basis. We show that given (almost) any logic L, we may define a provisional authorization specification language pASLL. pASLL is based on the declarative, polynomially evaluable authorization spec­ification language ASL proposed by Jajodia et al [JSS97]. We define programs in pASLL, and specify how given any access request, we must find a “weakest” precondition under which the access can be granted (in the worst case, if this weakest precondition is “false” this amounts to a denial). We develop a model theoretic semantics for pASLL and show how it can be applied to online sealed-bid auction servers and online contracting.