4 Electronic Payment Systems



Similar documents
7 Electronic Payment Systems

How To Pay With Cash Or Credit Card (For Women)

Electronic payment systems

Electronic Payment Systems

Electronic Cash Payment Protocols and Systems

Electronic Payments. EITN40 - Advanced Web Security

PayWord and MicroMint: Two Simple MicroPayment Schemes

The Definition of Electronic Payment

A Scheme for Analyzing Electronic Payment Systems

Account-Based Electronic Payment Systems

Comparing and contrasting micro-payment models for E-commerce systems

Cryptography: Authentication, Blind Signatures, and Digital Cash

Digital Cash. is not a check, credit card or a debit card. They leave audit trails. can be sent through computer networks.

Secure Payment. Vijay Atluri

Electronic Payments Part 1

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Secure Electronic Transaction (SET protocol) Yang Li & Yun Wang

Secure e-commerce. Information Security (bmevihim100) Dr. Levente Buttyán

Visa/MasterCard Secure Electronic Transactions (SET) Scope of SET Protocols

Payment Systems for E-Commerce. Shengyu Jin 4/27/2005

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

ELECTRONIC COMMERCE WORKED EXAMPLES

Electronic Payment Systems on Open Computer Networks: A Survey

Credit card: permits consumers to purchase items while deferring payment

10 Secure Electronic Transactions: Overview, Capabilities, and Current Status

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Chapter 10. e-payments

Payment systems. Tuomas Aura T Information security technology

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

CHAPTER 6. Learning Objectives. Learning Objectives. E-commerce Payment Systems. Types of Payment Systems

TABLE OF CONTENTS INTRODUCTORY THE FOUNDATION OF E & M. 4. E-Commerce & M-Commerce Technologies. (c) Internet Based Research Approaches.

Electronic Commerce and E-wallet

Sending money abroad. Plain text guide

Security in Electronic Payment Systems

Application of Electronic Currency on the Online Payment System like PayPal

Web Security. Mahalingam Ramkumar

Internet Usage (as of November 1, 2011)

Electronic Payment Systems

CRYPTOGRAPHY IN NETWORK SECURITY

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2012

Lecture 9: Application of Cryptography

Chapter - 7. Electronic Payment Systems

Cryptography and Network Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

The e-payment Systems

Framework of e-commerce

Electronic Payment Systems. Traditional Methods

Three Kinds of E-wallets for a NetPay Micro-payment System

Payment authorization Payment capture Table 1.3 SET Transaction Types

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

7! Cryptographic Techniques! A Brief Introduction

Guide to Data Field Encryption

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Interoperable Mobile Payment A Requirements-Based Architecture

Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2015

Chapter 5. Online Payment System. Types of Payment Systems. Cash Checking Transfer Credit Card Stored Value Accumulating Balance

A Multi-Agent Architecture for Electronic Payment

Electronic Payment Systems. Dr Sherif Kamel

The Comprehensive, Yet Concise Guide to Credit Card Processing

ELECTRONIC PAYMENT SYSTEMS. A Survey Report submitted in partial fulfillment of the requirements of CMPE 296U. Srivalli Arkalgud Student ID:

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Third Edition. Copyright 2007 Pearson Education, Inc.

Lectures for the course: Electronic Commerce Technology (IT 60104)

MEANS OF PAYMENT IN E-COMMERCE (CREDIT CARDS AND E-MONEY) MIHAELA LOREDANA LĂPĂDUŞI

Peppercoin Micropayments

On Electronic Payment Systems

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

An access number, dialed by a modem, that lets a computer communicate with an Internet Service Provider (ISP) or some other service provider.

Key Management (Distribution and Certification) (1)

First Data E-commerce Payments Gateway

CSCE 465 Computer & Network Security

How To Protect Your Data From Attack

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments

Part I System Design Considerations

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES

Client Server Registration Protocol

Distributed Public Key Infrastructure via the Blockchain. Sean Pearl April 28, 2015

A Secure on-line credit card transaction method based on Kerberos Authentication protocol

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

bi on Solution white paper

Mobile Electronic Payments

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

On-line Payment and Security of E-commerce

PayCash: A Secure Efficient Internet Payment System

Merchant Account Glossary of Terms

Building an Anonymous Public Storage Utility Wesley Leggette Cleversafe

Combatting Double-Spending Using Cooperative P2P Systems

E-Commerce Transaction. PayPal: The Money s in the . Points of Vulnerability. PayPal: The Money s in the . Types of Payment Systems

ACH, EFT, SET, SSL, IOTP

CREDIT CARD PROCESSING GLOSSARY OF TERMS

Swedbank Payment Portal Implementation Overview

09/11/2015. ACS 3907 E-Commerce. Payment Methods. General Payment Systems. Instructor: Kerry Augustine November 10 th 2015

Efficient construction of vote-tags to allow open objection to the tally in electronic elections

Your guide to getting the most from your card

How Online Payments Really Work

Credit Card Law and Consumer Protection

Transcription:

4 Electronic Payment Systems 4.1 Traditional Payment Systems 4.2 Credit-Card Based Payment Standards 4.3 Electronic Cash and Micropayments 4.4 Practice of E-Payment Literature: Donal O Mahony, Michael Peirce, Hitesh Tewari: Electronic Payment Systems for E-Commerce, 2nd ed., Artech House 2001 Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-1 A Brief History of Cash Money Direct exchange of goods Problematic since double coincidence of wants is required Commodity payment Exchange with goods of well-known value (e.g. corn, salt, gold) Leading to gold and silver coins Commodity standard Tokens (e.g. paper notes) which are backed by deposits of the issuer Fiat money Assuming a highly stable economy and government Tokens no longer (or not fully) backed by deposits Trust in the issuer replaces deposits Cash is used for 80% of all financial transactions Cash is not free of transaction costs! Replacement of coins/notes paid out of taxes Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-2

Forms of Payment Cash Cheques Using clearing house between banks Giro, direct credit transfer (Überweisung), direct debit (Lastschrift) Requires clearing house, today fully automated ( Automated Clearing House ACH ) Wire transfer Payment cards (cost usually borne by the merchant): Credit card» Associated with credit promise from bank Charge card» Requires full settlement of bill each month Debit card» Card used to initiate an immediate direct debit Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-3 Customer Preferences in Non-Cash Payment According to the Bank for International Settlements, www.bis.org Figures for 1998 Country Cheques Credit Transfer Payment Cards Direct Debit USA 70 % 3.7 % 24.3 % 2.0 % Netherlands 1.9 % 45 % 24.5 % 28.5 % UK 28 % 19.3 % 33.1 % 19.4 % Germany 4.8 % 50.6 % 5.1 % 39.5 % Turkey 6.9 % 2.6 % 83.9 % -- Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-4

Customer and Merchant Preferences in German E-Commerce Study by Fittkau & Maaß (according to Computerzeitung 44, Oct 2004): Used payment methods in German online commerce Multiple assignment of preferences was possible Used payment methods: 75 % traditional billing (payment after delivery, usually by credit transfer) 42 % direct debit (Lastschrift) 37 % credit card 8 % electronic payment methods Electronic payment is still not well known and therefore rarely used Payments for small amounts (less than 2) are problematic Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-5 4 Electronic Payment Systems 4.1 Traditional Payment Systems 4.2 Credit-Card Based Payment Standards 4.3 Electronic Cash and Micropayments 4.4 Practice of E-Payment Literature: Donal O Mahony, Michael Peirce, Hitesh Tewari: Electronic Payment Systems for E-Commerce, 2nd ed., Artech House 2001 Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-6

Credit Card MOTO Transactions MOTO = Mail Order/Telephone Order Transactions without physical co-location of buyer and merchant Special rules: Additional information» Address» Card security code Often: Matching of delivery address and credit card billing address Extremely popular form of online payment Data transfer secured by SSL, i.e. hybrid symmetric/asymmetric cryptosystem Disadvantages: Many possibilities for fraud Anonymity of customer not possible High transaction cost difficult for small amounts Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-7 SET SET = Secure Electronic Transactions Standard by Visa and MasterCard 1996 Today almost without significance (after attempt to revive it in 1999) But still a model for a thorough way to deal with the problem Scope restricted to authorization of credit card payments No actual funds transfer Focus on trust model and authorization Using public/private key cryptosystem Complex (three volumes specification) But safe against all major risks Special PKI: All participants have to obtain (X.509) certificates Brand Certification Authority (MasterCard/Visa) Geopolitical Authority (optional) Cardholder/Merchant/Payment CA Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-8

SET Initialization Initialization (PInitReq): Cardholder to Merchant Contains: Brand of card, list of certificates, challenge (to ensure freshness) Initialization Response (PInitRes): Merchant to Cardholder Contains: Transaction ID, response to challenge, certificates, merchant challenge Roles: Cardholder (Buyer) Merchant (Seller) Acquirer (essentially credit card organization)» Operating a payment gateway Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-9 Dual Signatures General concept: Alice wants to send Message 1 to Bob and Message 2 to Carol, and she wants to assure Bob and Carol that the respective other message exists To Bob she sends Message 1 and Digest 2 To Carol she sends Message 2 and Digest 1 Message 1 Message 2 Hash Hash Secret Key of Sender Digest 1 Digest 2 Hash Sign Dual Signature Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-10

SET Purchase Purchase Order (PReq): Cardholder to Merchant Order Information (OI):» Identifies order description at the merchant» Contains response to merchant challenge» Includes random information ( nonce ) for protection against dictionary attacks Payment instructions (PI):» Card data, purchase amount, hash of order, transaction ID» Payment instructions are encrypted with acquirer s public key (merchant cannot read it)» Extra strong encryption by using RSA (and not DES, for instance) Dual signature for OI going to Merchant and PI going to Acquirer Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-11 SET Purchase Request Data CardData CC# Expiry Nonces Order Description Amount PIData TransactionID Hash(Order) Amount Card Data (extra encrypted)... OIData TransactionID BrandID Date Challenges... Encrypted for Acquirer Dual Signature Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-12

SET Authorization Authorization Request (AuthReq) Merchant to Acquirer Encrypted with Acquirer s public key Signed with Merchant s secret key Contains: TransactionID, amount, Hash(Order), Hash(OIData), PIData, merchant details, cardholder billing address Hash(Order) contained twice» from merchant directly» as part of PIData (encrypted, e.g. just forwarded from cardholder) Can be used to verify that cardholder and merchant have agreed on order details Authorization Response (AuthRes) Acquirer to Merchant Contains: TransactionID, authorization code, amount, data, capture token (to be used for actual funds transfer) Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-13 4 Electronic Payment Systems 4.1 Traditional Payment Systems 4.2 Credit-Card Based Payment Standards 4.3 Electronic Cash and Micropayments 4.4 Practice of E-Payment Literature: Donal O Mahony, Michael Peirce, Hitesh Tewari: Electronic Payment Systems for E-Commerce, 2nd ed., Artech House 2001 Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-14

Electronic Cash Many attempts have been made to transfer the advantages of cash money to digital transactions: Acceptability independent of transaction amount Guaranteed payment no risk of later cancellation No transaction charges» no authorization, no respective communications traffic Anonymity There does not exist an electronic system which captures all of the above attributes! But there are interesting approximations... Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-15 DigiCash / Ecash DigiCash (David Chaum) Dutch/U.S. company, 1992 Ecash Electronic equivalent of cash, developed by DigiCash Fully anonymous using cryptographic techniques History: 1995: Mark Twain Bank, Missouri, started issuing real Ecash dollar coins 1998: DigiCash bankruptcy Relaunch as ecash Technologies 2002: ecash Technologies taken over by InfoSpace» Mainly to acquire valuable patents Ecash still an interesting model for electronic cash Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-16

Ecash Model Ecash Bank Withdraw/ deposit coins Validity indication New coins, statement Deposit coins Client Wallet cyberwallet Pay with coins Goods Merchant Software Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-17 Minting Electronic Coins Each coin has a serial number Serial number is generated by a client s cyberwallet software Randomly chosen, large enough to avoid frequent duplicates (e.g. 100 bits) Coins, respectively their serial numbers, are signed by the bank Bank does not know the serial number through blinding (see next slide) Bank is not able to trace which coins are given to which person Bank uses different keys for different coin values E.g. 5-cent, 10-cent, 50-cent signatures Contents of an electronic coin: Serial number SN Key version (can be used to obtain value, currency, expiry date) Signature: F(SN), encrypted with one of the bank s secret keys» Where F computes a hash code of SN and adds some redundant information to avoid forging of coins Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-18

Blinding General concept: Alice wants Bob to sign a message without Bob seeing the content. Analogy: Envelope with message and a sheet of carbon paper Signature on the outside of the envelope goes through to the contained message Procedure: Blinding achieved by multiplication with random value (blinding factor) Alice sends multiplied (blinded) message B(M) to Bob Bob signs blinded message: Sign Bob (B(M)) Signature function and blinding (multiplication) are commutative:» Sign X (B(M)) = B(Sign X (M)) Alice de-blinds message (by division with blinding factor) The resulting message is Sign Bob (M), indistinguishable from a message directly signed by Bob Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-19 Avoiding Forged Coins Assuming the function F was omitted Coin contains serial number SN in plaintext Signature is just SK $1 (SN) Forging a coin: Choose a large random number R Encrypt R with bank s $1 public key: S = PK $1 (R) Construct coins which contain S as serial number and R as signature Now the coin can be verified (not distinguishable from real coin): SK $1 (S) = SK $1 (PK $1 (R)) = R Therefore introduction of function F in coin definition Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-20

Avoiding Double Spending E-Coins are just pieces of data which can be copied How to avoid that the same coin is spent several times? Ecash solution: Central database of spent coins Merchants must have an online connection with the Ecash bank Before accepting a coin: check whether it has been spent already Problem: Database of spent coins can become a performance bottleneck Offline trade with coins is impossible Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-21 An Ecash Purchase Client has Ecash coins stored in his cyberwallet Merchant receives an order from the client Merchant sends a payment request to the client s cyberwallet Amount, timestamp, order description,... User is asked whether he/she wants to pay Coins for the (exact) amount are taken from wallet There is no change with Ecash Otherwise the merchant could record the serial numbers of his coins given to the client and try to identify the client Coins are encrypted with bank s public key when sent to merchant Merchant just forwards them but cannot read anything To prove the payment: Client generates a secret and includes (a hash of) it into the payment info. Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-22

The Perfect Crime Bruce Schneier: An anonymous kidnapper takes a hostage. Kidnapper prepares a large number of blinded coins and sends them to the bank as a ransom demand. Bank signs the coins to save the hostage. Kidnapper demands that the signed coins are published, e.g. in newspaper or television. Pickup cannot be traced. Nobody else can unblind the coins but the kidnapper. Kidnapper saves the blinded coins to his computer, unblinds them, and has a fortune in anonymous digital cash Hopefully, kidnapper releases the hostage... Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-23 Off-Line Coins Chaum/Pedersen 1992, Stefan Brands 1993: Coins may consist of several parts To use a coin in a payment transaction, one part of the coin must be revealed. Payer is not identified. If the coin is used a second time, a second part of the coin is revealed and the payer is identified. This way, it is possible to trace double spendings after the fact, and to identify the origin of the double-spent coins. Algorithmic idea: Identity I of user is encrypted with one-time random number P» Is part of coin Special challenge-response system: Merchant asks client for answer on a random challenge and stores the results As soon as the merchant has two results for different challenges, he can calculate the information required to decrypt the identity of the payer Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-24

Macropayments and Micropayments Systems described above were designed for macropayments Minimum granularity 1 cent (penny, etc) Prices for services often quoted in smaller quantities See petrol prices... Hundredth or thousandth of cent Micropayment: Payment technology suitable for very small amounts Problem: Transaction overhead from macropayment systems larger than value Advantage: Losing an electronic micro-coin is not a serious damage Light-weight, fast, scalable protocols Historic pioneer: Millicent project (1995) Digital Equipment Corporation (now part of Compaq, part of HP) Key innovations: Brokers intermediating between vendors and scrip (digital cash valid only for a specific vendor) Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-25 MicroMint Developed by Ron Rivest and Adi Shamir (1996) (similar: PayWord) Idea: Signing of e-coins by bank is computationally too expensive Make it computationally difficult for everybody else but a broker to mint valid coins Make it quick and efficient for everybody to verify a coin No check for double spending Buy coins New coins for any vendor Broker (mints coins) Redeem coins at end of day User Spend coins Purchased information Vendor Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-26

k-way Hash Collisions MicroMint coin is a k-way hash collision function One-way hash function: H(x) = y Hash function collision: H(x 1 ) = H(x 2 ) = y It is computationally hard to generate two values that map to the same value k-way hash function collision: k different input values map to the same output value MicroMint coin (4-way hash collision): C = [x 1, x 2, x 3, x 4 ] such that the hash function gives the same value for all x i Verifying a MicroMint coin: Just check the hash function value for the four given values Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-27 Minting MicroMint Coins Length of x and y values restricted to a fixed number of bits Assuming y values are n bits long Analogy: Throwing balls at 2 n bins Balls generated at random Bins represent y values Successfully minted coin: 4 balls in one bin Difficult to mint first coin, further coins much quicker Ball Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-28

Preventing Forgery with MicroMint Special hardware: Broker can gain speed advantage over attackers Short coin validity period: Coins do not live more than a month Early minting: Coins are minted a month or more before distribution speed advantage Coin validity criterion: May be changed every month, e.g. the used hash function Different bins: Broker may remember the unused bins for the month and use them to detect forged coins... Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-29 4 Electronic Payment Systems 4.1 Traditional Payment Systems 4.2 Credit-Card Based Payment Standards 4.3 Electronic Cash and Micropayments 4.4 Practice of E-Payment Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-30

Payment Service Providers Nowadays, many users apparently have learned to trust encrypted transmission over the Internet Problem: Confidential data (e.g. credit card number, bank account) still known to merchant Solutions: Build up high-trust merchant brands (e.g. Amazon) Use independent third parties as payment service provider» Examples: FirstGate, PayPal Payment service provider: Establishes account with user, keeps confidential data away from merchant Provides easy tools for merchants to integrate payment functions into Wen shops Accumulates small payments to monthly bills Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-31 Banner Advertising Advertising is often used as a form of payment on the Web Information services on the Web can be financed by advertising income Typical billing schemes for advertisers: Page impression: Banner is put one time in front of a Web user CPM: Cost per thousand (Roman 1.000 sign) page impressions» Typical cost range 0.50 up to 40 (figures from 2001) CPC: Cost per click» Typical cost range 0.10 up to 1 (figures from 2001) Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-32

Mobile Network Based Payment Systems Example PayBox (www.paybox.net) Registration with Payment Service Provider (paybox) Customer obtains PIN Payment request in E-Commerce or M-Commerce applications Payment Service Provider calls back on mobile phone Customer confirms payment by entering PIN Confirmation by email/sms Mobile phone bill is not used for money transfer Add-on services: Online credit transfer User-to-user credit transfer via mobile phone Paybox company in Germany: Business closed 2003 Some success in Austria www.payboxsolutions.com Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-33 Payment through Phone Bill Example T-Pay (Deutsche Telekom) Billing data of phone bills are kept up to date No additional bill for customer Suitable for small amounts Network Operator Add to bill Pay through phone bill Authentication Receipt Payment Provider Initiate Payment Transfer money User Buy with T-Pay Purchase Vendor Ludwig-Maximilians-Universität München Prof. Hußmann Multimedia im Netz 4-34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information