Electronic Payment Electronic Payment SystemsSystems

Presented byRufus KnightVeronica OgleChris Sullivan

As eCommerce grows, so does our As eCommerce grows, so does our need to understand current need to understand current methods of Electronic Payment methods of Electronic Payment Systems.Systems.

OutlineOutline

• Introduction to Project• Electronic Cash Presentation• Electronic Checks Presentation• Credit Card Payments Presentation• Conclusion• Questions

IntroductionIntroduction

• Our Group has:– Created a web site on three types of

electronic payment systems• Electronic Cash • Electronic Checks • Credit Card Payments

– Focused on Security Issues, Protocols, and Real World Implementations of each Method

eCasheCash

Currency & MicropaymentsCurrency & Micropayments

eCasheCash

• What is eCash?– A class of technologies that provide an

analog of cash represented in electronic form.

– Replicates properties of real cash (anonymity, low transaction cost, etc).

– Can be spent or given away. – Quick and easy on line transactions. – Implemented with smart cards or just

software.

eCash Transaction ModeleCash Transaction Model

• eCash Model

eCasheCash

• What are Micropayments?– Small valued transactions (.10 - $10) – Suitable for the sale of non-tangible goods

over the Internet. – Imposes requirements on speed and cost

of processing of the payments. – Delivery occurs nearly instantaneously on

the Internet, and often in arbitrarily small pieces.

– Need for security is reduced.

Micropayment Transaction Micropayment Transaction ModelModel

• Micropayment Model

eCash SecurityeCash Security

• Public Key Cryptography• Coins

– 2 pairs of integers (serial number, calculated value -> (a, f(a)) )• a -> serial number• f -> one-way hash function

– E.g Bank uses RSA algorithm and its private key to sign a.

eCasheCash

• Blinding (ensures privacy)– r -> blinding factor– Person sends f(a)r to Bank– Bank signs and returns– Person divides it with r

• The Bank does not know r so it can’t trace identity of the coin when it is cashed later

eCasheCash

• Example Systems:– DigiCash (software-based)

– Mondex (card-based)

– NetBill (micropayments)

eCheckseChecks

Credit-Debit SystemCredit-Debit System

Electronic Checks Electronic Checks (eChecks)(eChecks)

• Designed to perform the payment and other financial functions of paper checks by using cryptographic signatures and secure messaging over the Internet

• Based on the idea that electronic documents can be substituted for paper, and that public key cryptographic signatures can be substituted for handwritten signatures

eChecks (cont.)eChecks (cont.)

eChecks (cont.)eChecks (cont.)• Three aspects faced in order for eCheck

transactions to take place:– Private key possession and control -- The

signature verifier must believe that the signer has exclusive possession of his signing key

• The electronic checkbook, in the form of a PIN-activated tamper-resistant smart card or similar cryptographic hardware, performs a signing algorithm so that the private signing key is always kept inside the trusted hardware and is never read into the signer's networked personal computer or server

eChecks (cont.)eChecks (cont.)• The electronic checkbook is aware of echeck

syntax and logs critical data from echecks to provide the signer with a trusted log of signing actions

– Key pair generation -- The signature verifier must believe that the private/public key pair was generated such that the private key cannot be guessed by an attacker based on knowledge of the public key

• The electronic checkbook performs key generation within the tamper-resistant hardware using algorithms that have been properly tested and certified by the manufacturer

eChecks (cont.)eChecks (cont.)• Only the public key is exported from the hardware, and

the private key is never revealed to anyone

– Public key infrastructure -- The signature verifier must be able to trust that the public key provided for use in verifying the signature really belongs to the signer and is the other half of the signer's public key pair

• The public key exported from the card is included in a certificate signed by the bank's Certification Authority

• The bank echeck servers keep an independent database of the bank’s signers’ public keys so that they always know the most current relationships of keys to accounts and signers

eChecks (cont.)eChecks (cont.)• Areas of fraud and how eChecks prevent

them:– Duplicate detection

• Each echeck is guaranteed to be unique by the operations of the electronic checkbook

• The payee and payee's bank detect and refuse duplicate submissions of echecks

• The payer's bank detects duplicates and pays only one instance of an echeck

• Prevents multiple payments due to innocent retransmissions of email and prevents a payee from cashing and depositing an echeck in two different accounts

eChecks (cont.)eChecks (cont.)– Payee identification

• Echecks can be made out to the payee's bank routing code and either an account or customer ID number

• Also can be made out to the payee's public key

• These parameters uniquely identify the payee and prevent an eavesdropper from exploiting the ambiguity of payee identification, which otherwise exists if only payee common names are used

eChecks (cont.)eChecks (cont.)– Electronic account numbers

• The account number of the echeck is a randomly chosen number assigned by the bank for the purpose of writing and depositing

• The payer's and depositor's echeck account numbers are mapped to their paper check account numbers by their respective banks

• The banks will not accept paper checks or drafts written against the echeck account numbers

• This prevents an eavesdropper or corrupt payee from printing and passing paper checks or drafts against the account numbers

eChecks (cont.)eChecks (cont.)

– Cryptographically attached invoices• Invoices can be sent to detail the purpose of the

payment, and can be signed by the echeck signature binding them to the echeck and ensuring their authenticity and integrity

• This prevents an attacker from intercepting an echeck and purchase order, changing the delivery address in the order, and forwarding the echeck and altered order to the merchant

Credit CardsCredit Cards

Secure PresentationSecure Presentation

Electronic Credit Card Electronic Credit Card PaymentsPayments

• Secure Electronic Transaction (SET)• Credit Card Transactions• Check Sum Algorithm

Secure Electronic Secure Electronic Transaction (SET)Transaction (SET)

• Protocol for sending financial information over the Internet.

• Provides secure transmission• Allows for party authentication• Provides integrity for the payment

messages

Credit Card TransactionsCredit Card Transactions

1. The consumer supplies the credit card to the merchant.

2. The merchant seeks card authorization from the merchant's bank.

3. The merchant's bank then seeks authorization from the consumer's bank.

4. The consumer's bank responds to the merchant's bank.

5. The merchant's bank notifies the merchant that the transaction has been approved.

Credit Card Transactions Credit Card Transactions (cont.)(cont.)

1. The merchant finalizes the transaction. 2. The merchant sends a batch of charges to the

merchant's bank. 3. The merchant's bank then sends each settlement

request to the appropriate consumer bank 4. The consumer bank receives each settlement

request and debits the consumer's account. 5. The merchant's bank credits the merchant's

account and withdraws the credit amount from the consumer's bank.

Check Sum AlgorithmCheck Sum Algorithm

• Assumes the credit card number 3728 024906 54059 • The number is 15 digits long and thus odd and therefore has

a numerical weight of one• Compute the check digit by: • 3, 14, 2, 16, 0, 4, 4, 18, 13, 5, 0, 8, 10, 9• Subtract 9 from every value greater than nine: 3, 5, 2, 7, 0, 4, 4, 9, 0, 3, 5, 8, 0, 1, 9 • Add these numbers: 60 • The check should equal zero

60 mod 10 = 0

ConclusionConclusion

• Electronic money is a more viable means of making payments.

• These payment methods offer privacy, convenience, and security

• There are a wide variety of electronic payment systems available.

• The consumer must find the system that best suites their needs

Questions Questions ??????