itself.The internet provides great opportunities for business but, with those opportunities come some e-security risks. Intruders can install malicious software such as spyware and viruses, which canstealsensitivebusinessinformationandslowdownthecomputer,interceptfinancialtransactions ,stealcreditcarddetailsandaccesscustomerinformation,stealdownloadlimitwithoutyourknowled geandatyourcost,takeoveryourwebsiteandmodify itandStealsensitivebusinessinformation byusingaportabledevice. ConceptofE-Security: E-Security is a part of the Information Security frameworkand is specifically applied tothe components that affect e-commerce that include Computer Security, Data security and otherwider realms of the Information Security framework. E-commerce and network security are notsimple; diligenceisneededto prevent loss. E-security or Information security is also protection of information against unauthorizeddisclosure, transfer, modifications, or destruction, whether accidental or intentional. E-Security isthe method of securing internet systems from malicious use. It deals with the security of theinformation(inelectronicform)thattravelsovertheInternet.Soe- securityinvolvessecuringboththeinformationaswellasthenetworkthroughwhichthe informationflows. PictorialconceptofE-security Figure 11.1E-Security Systems NeedforE-Security: Theareaswhichneedsecurity arenetworksecurityandintrusiondetection. Networksecurity Network security includes systems that protect networks, such as a local area network(LAN) or wide area network (WAN). Different techniques are used to create a trusted zone inthese networks. Firewalls protect the network by permitting only specified traffic to enter it 201 CU IDOL SELF LEARNING MATERIAL (SLM)
fromtheoutside(fromtheInternet,forexample).Inlargeorganizations,firewallsalsoseparateintern al networks from each other, keeping an intruder in one network from gaining access toanother or preventing unauthorized access by employees to certain files. Firewalls divide theinformation technology world into two parts: the inside, trusted zone and the outside, untrustedzone.Toworkeffectively,firewallrulesandpoliciesmustsupportyourbusiness. IntrusionDetection Intrusion detection provides additional layers of protection.It can detect and registersuspiciousactivity,alertappropriatepersonnelandblocktheanomalousbehavioronthenetw ork or its hosts. It varies vary from broad, multipurpose tools to highly specialized tools thatlookforspecificfeatures.Anexampleofabroadtoolisanetworksniffer.Sniffersweredeveloped for administrators needing to troubleshoot problems, but they were quickly adapted byhackers toaccessinformation suchas passwordsand files. ImportanceofE-commercesecurity: Companies are doing more and more business on the Web as interactions become fasterand less expensive. However, there are many security concerns. Authentication (who is the user)authorization(permissiontodowhattheywant),dataintegrityandencryption(accessinginfor mation that cannot be altered or read in transit), accountability (can be held responsible fortheiractions)andnotarization(canmakeagreementswithsitesthatarelegallyenforceable)areto be considered. E- securityisanimportantonetobusinessesandgovernmentstoday.Inanenterprise,asecurityexposure mightresultinpossibledamageintheorganizationsinformationandcommunicationsystems.Exam pleofexposureincludesunauthorizeddisclosureofinformation,modificationofbusinessoremploy er’sdataanddenialoflegalaccesstotheinformationsystem. E-security addresses the security of a company, locates its vulnerabilities and supervisesthemechanismsimplementedtoprotecttheon- lineservicesprovidedbythecompany,inorderto keep adversaries (hackers, malicious users and intruders) from getting into the company’snetworks, computersandservices. Thus,inorder toprotectthe criticalinformationinelectronic formbelonging toanyprivate orpublic sectororganization,weneedtoemploythe e-securitymeasures. 11.2 E-BUSINESS SECURITY ISSUES E-Business Security Issues 202 CU IDOL SELF LEARNING MATERIAL (SLM)
1. Lack of trust in the privacy and E-Commerce security Businesses that run E-Commerce operations experience several security risks, such as: Counterfeit sites– hackers can easily create fake versions of legitimate websites without incurring any costs. Therefore, the affected company may suffer severe damage to its reputations and valuations. Malicious alterations to websites– some fraudsters change the content of a website. Their goal is usually to either divert traffic to a competing website or destroy the affected company’s reputation. Theft of clients’ data– The ecommerce industry is full of cases where criminals have stolen the personal information of customers, such as addresses and credit card details. Damages to networks of computers– attackers may damage a company’s online store using worm or viruses attacks. Denial of service– some hackers prevent legit users from using the online store, causing a reduction in its functioning. Fraudulent access to sensitive data– attackers can get intellectual property and steal, destroy, or change it to suit their malicious goals. 2. Malware, viruses, and online frauds These issues cause losses in finances, market shares, and reputations. Additionally, the clients may open criminal charges against the company. Hackers can use worms, viruses, Trojan horses, and other malicious programs to infect computers and computers in many different ways. Worms and viruses invade the systems, multiply, and spread. Some hackers may hide Trojan horses in fake software, and start infections once the users download the software. These fraudulent programs may: Hijack The Systems Of Computers Erase All Data Block Data Access Forward Malicious Links to Clients and Other Computers inthe Network. 3. Uncertainty and complexity in online transactions Online buyers face uncertainty and complexity during critical transaction activities. Such activities include payment, dispute resolution, and delivery. During those points, they are likely to fall into the hands of fraudsters. Businesses have improved their transparency levels, such as clearly stating the point of contact when a problem occurs. However, such measures often fail to disclose fully the collection and usage of personal data. 203 CU IDOL SELF LEARNING MATERIAL (SLM)
StagesinE-securitydesign Asix-stagesecuritydesignisdiscussedbelow: Stage–I:Developingcorporateriskconsciousnessandmanagementfocus For any security to work well there has to be a strong organizational foundation. Bothmanagement and employees must have a keen sense of how their interests and the fortune of theorganizationdependverystronglyontheirabilitytosafeguardtheirinformationresources. Stage–II:PerformingRiskAssessment RiskAssessmentisbasedonidentifyingthreats,vulnerabilitiesandcost.Asimpleequation can beusedto represent thisprocess: Risk=(ThreatxVulnerabilityxCostofbusinessdisruption)/(CostofCountermeasure) Stage–III:Devisingasystematicrisk-managementbasede-businesssecuritypolicy Securitypolicyisthefirsttangibleevidenceofacrediblesecuritysystem.Everyorganization must have a comprehensive security policy. The policy must address each systemcomponent,internalandexternalthreats,humanandmachinefactors,managerialandnon- managerialresponsibility.Thesecuritypolicyhasthesixobjectivesofe- businesssecurity:confidentiality;integrity;availability;legitimateuse,auditing,andnon- repudiation. Stage–IV:ImplementingBestPracticesinSecuringE-BusinessInfrastructure This is the area of security risk management that is mainly a technology issue. Eachcomponenthastobeaddressedwithaviewtoimplementingacompletee- businesssecureinfrastructure.Importantelementswillincludecryptography,PKIanddigitalsignat uretechnology. The best practice is one that is not only impressive in its design and implementationbut one that can be optimal. A best practice will be a cost-effective that is commensurate with theperceived information securityrisk of theorganization. Stage–V:Analyzing,AssessingandInsuringResidualRisk Once the best practices are in place and certified,any risk that is not covered must be addressedby means of an insurance mechanism. Those risks need to be further assessed in terms of theprobabilityoftheeventsandthe subsequentfinancialimpactontheorganization. Stage–VI:Monitoringandrevisingthesystem Implementingeffectivee- businesssecurityisadynamicprocess.Thetechnologyischangingveryfastandsoarethethreatsandv ulnerabilities.Creatingasecurityandriskmanagement culture is a slow process. It is necessary to establish an effective monitoring andfeedback systeminordertodetermine the efficacyof 204 CU IDOL SELF LEARNING MATERIAL (SLM)
thesecuritypolicy. 11.3 E-BUSINESSWEBSITE SECURITY E-Business Website Security Use Multi-Layer Security It is helpful to employ various security layers to fortify your security. A Content Delivery Network (CDN) that is widespread can block DDoS threats and infectious incoming traffic. They use machine learning to keep malicious traffic at bay. You can go ahead and squeeze in an extra security layer, such as Multi-Factor Authentication. A two-factor authentication is a good example. After the user enters the login information, they instantly receive an SMS or email for further actions. By implementing this step, it blocks fraudsters as they will require more than just usernames and passwords to access the legit users’ accounts. However, hacking can still occur even if an MFA is in place. Get Secure Server Layer (SSL) Certificates One of the primary benefits of SSL Certificates is to encrypt sensitive data shared across the internet. It ensures that the information reaches only the intended person. It is a very crucial step because all data sent will pass through multiple computers before the destination server receives it.If SSL certificate encryption is absent, any electronic device between the sender and the server can access sensitive details. Hackers can thus take advantage of your exposed passwords, usernames, credit card numbers, and other information. Therefore, the SSL certificate will come to your aid by making the data unreadable to unintended users. Use solid-rock Firewalls Use effective e-commerce software and plugins to bar untrusted networks and regulate the inflow and outflow of website traffic. They should provide selective permeability, only permitting trusted traffic to go through. You can trust the Astra firewall to stop Spam, XSS, CSRF, malware, SQLi, and many other attacks on your website. It ensures that the only traffic that accesses your ecommerce store consists of the real users. Moreover, we have specialized WAF solutions for WordPress, Magento, Opencart, Prestashop, Drupal, Joomla, and custom made PHP sites. In a nutshell, the Astra firewall protection from: OWASP top 10 threats Protection from bad bots. Spam protection. 205 CU IDOL SELF LEARNING MATERIAL (SLM)
Protection against 100+ types of attacks. Anti-Malware Software The electronic devices, computer systems, and web system need a program or software that detects and block malicious software, otherwise known as malware. Such protective software is called Anti-malware software. An effective anti-malware should render all the hidden malware on your website. One such scanner is the Astra Malware Scanner. It scans your web system for all malicious software round the clock and is at your disposal it also lets you automate your scans with its “Schedule a Scan” feature. You can schedule the scans daily, weekly, monthly or fortnightly. Comply with PCI-DSS Requirements Make it a routine to maintain the Payment Card Industry Data Security Standard (PCI-DSS) to protect all credit card data. All businesses that handle credit card transactions need to some requirements. 11.4 E-BUSINESS SECURING INELECTROIC PAYMENT SYSTEMS The ease of purchasing and selling products over the Internet has helped the growth of electronic commerce and electronic payments services are a convenient and efficient way to do financial transactions.Generallywethinkofelectronicpaymentsasreferringtoonlinetransactions on the internet, there are actually many forms of electronic payments. As technologydeveloping, the range of devices and processes to transact electronically continues to increasewhile the percentage of cashandcheque transactionscontinuestodecrease. The Internet has the potential to become the most active trade intermediary within adecade. Also, Internet shopping may revolutionize retailing by allowing consumers to sit in theirhomesandbuyanenormousvarietyofproductsandservicesfromallovertheworlds.Many businessesandconsumersarestillwaryofconductingextensivebusinesselectronically.However, almosteveryonewillusetheformof ECommerce innear future. An electronic payment system is needed for compensation for information, goods andservicesprovidedthroughtheInternet-suchasaccesstocopyrightedmaterials,databasesearches or consumption of system resources - or as a convenient form of payment for externalgoods and services - such as merchandise and services provided outside the Internet. It helps toautomatesalesactivities,extendsthepotentialnumberofcustomersandmayreducetheamountof paperwork. 206 CU IDOL SELF LEARNING MATERIAL (SLM)
Electronic Payment is a financial exchange that takes place online between buyers andsellers. The content of this exchange is usually some form of digital financial instrument (such asencrypted credit card numbers, electronic cheques or digital cash) that is backed by a bank or anintermediary, or byalegaltender payment is a subset of an e-commerce transaction to include electronic payment forbuyingandselling goodsor servicesoffered throughtheInternet. Types of E-Payment Systems Electronicpaymentsystemsareproliferatinginbanking,retail,healthcare,on-linemarkets, and even government in fact, anywhere money needs to change hands. Organizationsare motivated by the need to deliver products and services more cost effectively and to provide ahigherqualityofservicetocustomers.Theemergingelectronicpaymenttechnologyislabeledas electronic funds transfer (EFT). EFT is defined as “any transfer of funds initiated through anelectronicterminal,telephonicinstrument,orcomputerormagnetictapesoastoorder,instruct,ora uthorize afinancialinstitution.EFTcanbesegmentedintothreebroadcategories: Banking and Financial Payments Large-scaleorwholesalepayments(e.g.,bank-to-banktransfer) Small-scaleorretailpayments(e.g.,automatedtellermachines) Homebanking(e.g.,billpayment) Retailing Payments CreditCards(e.g.,VISAorMasterCard) Privatelabelcredit/debitcards(e.g.,J.C.PenneyCard) ChargeCards(e.g.,AmericanExpress On-Line Electronic Commerce Payments Token-basedpaymentsystems Electroniccash(e.g.,DigiCash) Electroniccheques(e.g.,Net Cheque) Smartcardsordebitcards(e.g.,MondexElectronicCurrency Card)) Creditcard-basedpaymentssystems EncryptedCreditCards(e.g.,WorldWideWebform-basedencryption) Third-partyauthorizationnumbers(e.g.,FirstVirtual) E-Commerce - Payment Systems E-commerce sites use electronic payment, where electronic payment refers to paperless monetary transactions. Electronic payment has revolutionized the business processing by reducing the paperwork, transaction costs, and labor cost. Being user friendly and less time- consuming than manual processing, it helps business organization to expand its market 207 CU IDOL SELF LEARNING MATERIAL (SLM)
reach/expansion. Listed below are some of the modes of electronic payments − Credit Card Debit Card Smart Card E-Money Electronic Fund Transfer (EFT) Credit Card Payment using credit card is one of most common mode of electronic payment. Credit card is small plastic card with a unique number attached with an account. It has also a magnetic strip embedded in it which is used to read credit card via card readers. When a customer purchases a product via credit card, credit card issuer bank pays on behalf of the customer and customer has a certain time period after which he/she can pay the credit card bill. It is usually credit card monthly payment cycle. Following are the actors in the credit card system. The card holder − Customer The merchant − seller of product who can accept credit card payments. The card issuer bank − card holder's bank The acquirer bank − the merchant's bank The card brand − for example, visa or Mastercard. Credit Card Payment Process TABLE 11.4 Credit Card Payment Process Step Description Step 1 Bank issues and activates a credit card to the customer on his/her request. Step 2 The customer presents the credit card information to the merchant site or to the merchant from whom he/she wants to purchase a product/service. Step 3 Merchant validates the customer's identity by asking for approval from the card brand company. Step 4 Card brand company authenticates the credit card and pays the transaction by credit. Merchant keeps the sales slip. 208 CU IDOL SELF LEARNING MATERIAL (SLM)
Step 5 Merchant submits the sales slip to acquirer banks and gets the service Step 6 charges paid to him/her. Step 6 Acquirer bank requests the card brand company to clear the credit amount and gets the payment. Now the card brand company asks to clear the amount from the issuer bank and the amount gets transferred to the card brand company. Debit Card Debit card, like credit card, is a small plastic card with a unique number mapped with the bank account number. It is required to have a bank account before getting a debit card from the bank. The major difference between a debit card and a credit card is that in case of payment through debit card, the amount gets deducted from the card's bank account immediately and there should be sufficient balance in the bank account for the transaction to get completed; whereas in case of a credit card transaction, there is no such compulsion. Debit cards free the customer to carry cash and cheques. Even merchants accept a debit card readily. Having a restriction on the amount that can be withdrawn in a day using a debit card helps the customer to keeps a check on his/her spending. Smart Card Smart card is again similar to a credit card or a debit card in appearance, but it has a small microprocessor chip embedded in it. It has the capacity to store a customer’s work-related and/or personal information. Smart cards are also used to store money and the amount gets deducted after every transaction. Smart cards can only be accessed using a PIN that every customer is assigned with. Smart cards are secure, as they store information in encrypted format and are less expensive/provide faster processing. Mondex and Visa Cash cards are examples of smart cards. E-Money E-Money transactions refer to situation where payment is done over the network and the amount gets transferred from one financial body to another financial body without any involvement of a middleman. E-money transactions are faster, convenient, and save a lot of time. Online payments done via credit cards, debit cards, or smart cards are examples of e- money transactions. Another popular example is e-cash. In case of e-cash, both customer and merchant have to sign up with the bank or company issuing e-cash. 209 CU IDOL SELF LEARNING MATERIAL (SLM)
Electronic Fund Transfer It is a very popular electronic payment method to transfer money from one bank account to another bank account. Accounts can be in the same bank or different banks. Fund transfer can be done using ATM (Automated Teller Machine) or using a computer. Nowadays, internet- based EFT is getting popular. In this case, a customer uses the website provided by the bank, logs in to the bank's website and registers another bank account. He/she then places a request to transfer certain amount to that account. Customer's bank transfers the amount to other account if it is in the same bank, otherwise the transfer request is forwarded to an ACH (Automated Clearing House) to transfer the amount to other account and the amount is deducted from the customer's account. Once the amount is transferred to other account, the customer is notified of the fund transfer by the bank. 11.5 SUMMARY AsbusinessactivitygrowsontheInternet,securityisbecominganimportantconsideration to take into account and to address, to the stakeholders' satisfaction. Security is anessential part of any transaction that takes place over the internet. Customer will lose faith in e-business if its security is compromised. E-Commerce Security deals with the protection of E-commerce assets such as computers and networks from unauthorized access, use, alteration ordistribution. Anything that can cause danger to the e-commerce assets are considered to bethreats. Systemsthatareconnectedtotheinternetarethetargetsfordestruction/tamperingofthedatast oredinthem.Certainthreatsmayresultinseverefinanciallossandothersmayresultin loss of reputation to an individual and to an organization. Computer and Internet Security has become a specialized area in itself. Its objective is to establish rules and measures to use against attacks over the Internet. Intruders can install malicious software such as spyware and viruses, which can steal sensitive business information. E-commerce and network security are not simple; diligence is needed to prevent loss. Network security includes systems that protect networks, such as a local area network or wide area network. Different techniques are used to create a trusted zone in these networks. Firewalls divide the information technology world into two parts: the inside, trusted zone and the outside, untrusted zone. Businesses that run E-Commerce operations experience several security risks. Hackers can easily create fake versions of legitimate websites without incurring any costs. Malware, viruses, and online frauds can cause losses in finances, market shares, and reputations. A six-stage security design is discussed below. Every organization must have a comprehensive security policy for their e-business infrastructure. Important elements 210 CU IDOL SELF LEARNING MATERIAL (SLM)
will include cryptography, PKI and digital signature technology. Best practice is one that is not only impressive in its design and implementation but one that can be optimal. Creating a security and risk management culture is a slow process. It is helpful to employ various security layers to fortify your security. A Content Delivery Network (CDN) can block DDoS threats and infectious incoming traffic. Use solid-rock Firewalls to bar untrusted networks and regulate the inflow and outflow of website traffic. Ascra Malware Scanner scans your web system for all malicious software round the clock. Comply with Payment Card Industry Data Security Standard (PCI-DSS) to protect all credit card data The Internet has the potential to become the most active trade intermediary within a decade. Electronic payment systems are proliferating in banking, retail, health care, on-line markets, and even government. EFT can be segmented into three broad categories: Retail, Banking and Financial Payments. Electronic payment has revolutionized the business processing by reducing paperwork, transaction costs, and labor cost. A credit card is a plastic card with a unique number mapped with the bank account number. It is required to have a bank account before getting a debit card from a bank. Smart cards are secure, as they store information in encrypted format and are less expensive/provide faster processing. E-Money transactions are faster, convenient and save a lot of time. Accounts can be in the same bank or different banks. Fund transfer can be done using ATM (Automated Teller Machine) or using a computer. Now a days, internet-based EFT is getting popular. 11.6 KEYWORDS E-Security-Encompasses securityaspectsoftheinformationeconomy,includinginformationsystemsandcommunica tionsnetworks”. Malware, viruses, and online frauds-These issues cause losses in finances, market shares, and reputations. Additionally, the clients may open criminal charges against the company. Firewalls:A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. ACH (Automated Clearing House) - To transfer the amount to other account and the amount is deducted from the customer's account. E-Money- Transactions refer to situation where payment is done over the network 211 CU IDOL SELF LEARNING MATERIAL (SLM)
and the amount gets transferred from one financial body to another financial body without any involvement of a middleman. ATM (Automated Teller Machine):An automated teller machine (ATM) is an electronic banking outlet that allows customers to complete basic transactions without the aid of a branch. PIN (Personal identification number):PIN number is a secret number which they can use, for example, with a bank card to withdraw money from a cash machine or ATM. PCI-DSS (Payment Card Industry Data Security Standard):The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. 11.7 LEARNING ACTIVITY 1. Short note on E-security? ___________________________________________________________________________ ___________________________________________________________________________ 2. What are the issues of internet security? ___________________________________________________________________________ ___________________________________________________________________________ 11.8 UNIT END QUESTIONS A. Descriptive Questions 212 Short Questions 1. What is the concept of E-Security? 2. Explain needs of E-Security? 3. Explain the importance of E-Security? 4. Write a short note on EPS? 5. Explain the credit card payment cycle? Long Questions 1. Describe the stagesinE-Securitydesign? 2. Briefly explain the issues of E-Security? 3. Details about the issues of website E-Security? CU IDOL SELF LEARNING MATERIAL (SLM)
4. What are the steps in credit card process system? 5. Explain the types of EPS system? B. Multiple Choice Questions 1. In the computer networks, the encryption techniques are primarily used for improving the ________ a. Security b. Performance c. Reliability d. Longevity 2. It can be a software program or a hardware device that filters all data packets coming through the internet, a network, etc. it is known as the_______: a. Antivirus b. Firewall c. Cookies d. Malware 3. What floods a website with so many requests for service that it slows down or crashes? a. Computer virus b. Worm c. Denial of service attack d. Virus 4. Which one of the following is also referred to as malicious software? a. Malicious ware b. Badware c. Ilegalware d. Malware 5.………………….is a financial instrument which can be used more than once to borrow money or buy products and services on credit. 213 CU IDOL SELF LEARNING MATERIAL (SLM)
a. Credit card b. E-Cheques c. E-cash d. E-payment Answers 1-a, 2-b, 3-c. 4-d, 5-a 11.9 REFERENCES Reference books • JaiswalS.,E-Commerce • MohammadMahmoudiMaymand,E-Commerce • MurthyC.S.V.,E-Commerce-Concepts,ModelsandStrategies • Schneider, E-Commerce, Cengage Learning, New Delhi. • PeeLosuin&AMurphy,ElectronicCommerceJaicoPub Textbook references • JosephP.T.,E-Commerce–AnIndianPerspective • RaviKalkotaFrontiersofE-Commerce,AddisonWesley • K.Bajaj & D.Nag E-Commerce, The Cutting Edge of Business, Tata McGraw • Green Stein ElectronicCommerceTata McGraw. Website • https://www.cleverism.com/e-commerce-complete-guide • https://www.economicsdiscussion.net/business/e-commerce/31868 214 CU IDOL SELF LEARNING MATERIAL (SLM)
UNIT - 12: SECURINGE-COMMERCENETWORKS STRUCTURE 12.0 Learning Objectives 12.1 Introduction 12.2 Securing E-commerce Networks 12.3 E-CommerceSecurity Protocols 12.4 Measurement of E-Security Tools 12.5 Summary 12.6 Keywords 12.7 Learning Activity 12.8 Unit End Questions 12.9 References 12.0 LEARNING OBJECTIVES After studying this unit, you will be able to: Know the fundamentals of computer security Identify the E-Commerce security system Describe the security protocol system Point out the measurement of security tools 12.1 INTRODUCTION SecurityforE-Commerce AsbusinessactivitygrowsontheInternet,securityisbecominganimportantconsideration to take into account and to address, to the stakeholders' satisfaction. Security is anessential part of any transaction that takes place over the internet. Customer will lose faith in e-business if its security is compromised. E-Commerce Security deals with the protection of E-commerce assets such as computers and networks from unauthorized access, use, alteration ordistribution. Anything that can cause danger to the e-commerce assets are considered to bethreats.Systemsthatareconnectedtotheinternetarethetargetsfordestruction/tamperingofthedat astoredinthem.Certainthreatsmayresultinseverefinanciallossandothersmayresultin loss of reputation to an individual and to an organization. With the growing internet use, suchincidents would result in loss of trust in computer and networks and also decline the growth ofpublic confidence ininternet.Inthiscontextsecurityrelatestothreegeneralareas: Securefile/informationtransfers 215 CU IDOL SELF LEARNING MATERIAL (SLM)
Securetransactions Secureenterprisenetworks,whenusedtosupportWebcommerce. FundamentalsofComputerSecurity Computersecurity hasseveralfundamentalgoals Confidential−Informationshouldnotbeaccessibletounauthorizedperson.Itshouldnotbe intercepted duringtransmission. Integrity−Informationshouldnotbealteredduringitstransmissionoverthenetwork. Availability−Informationshouldbeavailablewhereverandwheneverrequirementwithin timelimit specified. Authenticity−Thereshouldbeamechanismtoauthenticateuserbeforegivinghim/heraccess torequired information. Non-Reputability − It is protection against denial of order or denial of payment. Once asendersendsamessage,thesendershouldnotabletodenysendingthemessage.Similarlyt herecipie ntofmessageshouldnotbe able todenyreceipt. Encryption−Informationshouldbeencryptedanddecryptedonly by authorizeduser. Auditable − Data should be recorded in such a way that it can be audited for integrityrequirements. Fraud – Another issue to be tackled is just plain fraud, where the buyer simply suppliesOut- of-dateorincorrectcreditcard information. 12.2 SECURING E-COMMERCE NETWORKS Security Methods for E-commerce In 1990. WWW was established to share distributed information amongst individuals. The main technology of Web consists of URLs, HTML and HTTP. URL is a method to identify the location of the information available on the Internet. HTML is the language with which information on the Internet is represented, whereas HTTP is the language used for communication between Web servers and Web browsers. Security is the most important part of E-commerce application for an organization because many Internet users access E-commerce applications. Therefore, an organization should be concerned about the security of its confidential information while conducting its business through E-commerce Developers of an E-commerce application always try to build such an application in a cost-effective manner. There are methods, such as digital signatures and encryption, which can be used to secure the important information in an E-commerce 216 CU IDOL SELF LEARNING MATERIAL (SLM)
application. Secure Transport Protocols Secure Hyper Text Transfer Protocol (S-HTTP) and SSL are two secure transport protocols that are required for exchanging information between the buyer and the J merchant on the Internet in a secure and safe way. Both S-HTTP as well as SSL protocols is .responsible for transferring data between a browner and a server in an encrypted form. So, when you submit your credit card number through their WWW form, it travels to the server in an encrypted format. Secure Hyper Text Transfer Protocol: S-HTTP is a secure extension of HTTP that is developed by the CommerceNet consortium. It is a protocol, which is used for sending information on the Internet by ensuring confidentiality, authenticity and integrity of the information. S-HTTP is executed at the application layer and provides services such as firewalls and validation of electronic signatures. S-HTTP maintains end-to-end secure transactions encompassing cryptographic enhancements that are used for the transfer of data at an application layer. It also includes the public-key cryptography from the RSA data security cipher to support shared secret password and Kerberos-based security systems. S-HTTP allows the Internet users to access the merchant's Website and provides the user's credit card number to their Web browsers. When S-HTTP encrypts the user's card number, the encrypted files are sent to the merchant. After decrypting the files, SHTTP transmits the file to the user's browser to confirm the digital signatures. Secure Socket Layers: The protocol, SSL is used to provide privacy and confirmation with the help of SSL and electronic certificates, which are also known as digital certificates. In this procedure, a client, that is generally an on-line user, sends a request to the server and the server then acknowledges to the client by sending a digital certificate. Both the server and the client should agree on the symmetric keys before starting the actual transmission. These symmetric keys are used to encrypt the message that follows between the communicating parties. Therefore, the information related with the credit card can be sent to the server safely with the help of SSL. However, a separate card known as Peripheral Component Interconnect (PCI) can also be used with SSL to provide security in electronic transactions. This card uses PKI and digital certificates for the privacy and authentication purposes. Secure Transactions: S-HTTP and SSL protocols provide secure transactions by transferring money from one 217 CU IDOL SELF LEARNING MATERIAL (SLM)
location to another location in a secure and safe way. Netscape Communications Corporation and Microsoft Corporation have promoted three methods of payment protocols and installed them in WWW browsers and servers. These three methods are as follows: MasterCard and Netscape have supported Secure Electronic Payment Protocol (SEPP) which is one of the methods for securing transactions. ANSI is a fast- tracking SEPP as a standard for the industry. Secure Transaction Technology (STT) is a secure payment protocol developed by Visa International and Microsoft. It uses cryptography in order to secure confidential transfer of information, payment information integrity and authenticate both the cardholders and the merchants. SET is a special protocol, which is used to handle the various electronic transactions. It provides more efficient security technologies, which reduce the chances of information loss. It also uses the encryptography technique to make the application more secure. Secure Electronic Payment protocol: SEPP is an open, vendor-neutral, license free specification that secures on-line transactions. It provides a standard for presenting credit card transactions on the Internet. Some of the companies that have developed SEPP are IBM, Netscape, Cyber Cash and MasterCard. SEPP helps in fulfilling some of the business requirements, which are stated as follows: • It enables confidentially of payment information. • It ensures integrity of all the payment data that is transmitted. • It provides the authentication that the card holder is the legitimated owner of the card account. • It provides the authentication that the merchant can receive MasterCard branded card payments along with an acquiring member financial institution. E-commerce security system Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised. Following are the essential requirements for safe e-payments/transactions − Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission. Integrity − Information should not be altered during its transmission over the network. Availability − Information should be available wherever and whenever required within a 218 CU IDOL SELF LEARNING MATERIAL (SLM)
time limit specified. Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information. Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. Encryption − Information should be encrypted and decrypted only by an authorized user. Auditability − Data should be recorded in such a way that it can be audited for integrity requirements. Measures to ensure Security Major security measures are following Encryption − It is a very effective and practical way to safeguard the data being transmitted over the network. Sender of the information encrypts the data using a secret code and only the specified receiver can decrypt the data using the same or a different secret code. Digital Signature − Digital signature ensures the authenticity of the information. A digital signature is an e-signature authenticated through encryption and password. Security Certificates − Security certificate is a unique digital id used to verify the identity of an individual website or user. 12.3 SECURITY PROTOCOLS Security Protocols in Internet We will discuss some of the popular protocols used over the internet to ensure secured online transactions. Secure Socket Layer (SSL) The protocol, SSL is used to provide privacy and confirmation with the help of SSL and electronic certificates, which are also known as digital certificates. In this procedure, a client, that is generally an on-line user, sends a request to the server and the server then acknowledges to the client by sending a digital certificate. Both the server and the client should agree on the symmetric keys before starting the actual transmission. These symmetric keys are used to encrypt the message that follows between the communicating parties. Therefore, the information related with the credit card can be sent to the server safely with the help of SSL. However, a separate card known as Peripheral Component Interconnect (PCI) can also be used with SSL to provide security in electronic transactions. This card uses 219 CU IDOL SELF LEARNING MATERIAL (SLM)
PKI and digital certificates for the privacy and authentication purposes. The authentication can be related with the parties involved in the electronic transaction who can either be a merchant, a customer or a bank. The different types of information that need to be protected while performing electro tic transactions are as follows: • The credit card details presented by the cardholder to the merchant. • The credit card details passed to the bank for processing. • The details of the order and the customer details supplied to the merchant either directly or from the payment gateway credit card processing company. It is the most commonly used protocol and is widely used across the industry. It meets following security requirements Authentication Encryption Integrity Non-reputability \"https://\" is to be used for HTTP urls with SSL, whereas \"http:/\" is to be used for HTTP urls without SSL. Secure Hypertext Transfer Protocol (SHTTP) Secure Hyper Text Transfer Protocol (S-HTTP) and SSL are two secure transport protocols that are required for exchanging information between the buyer and the J merchant on the Internet in a secure and safe way. Both S-HTTP as well as SSL protocols is .responsible for transferring data between a browner and a server in an encrypted form. So, when you submit your credit card number through their WWW form, it travels to the server in an encrypted format. S-HTTP is a secure extension of HTTP that is developed by the CommerceNet consortium. It is a protocol, which is used for sending information on the Internet by ensuring confidentiality, authenticity and integrity of the information. S-HTTP is executed at the application layer and provides services such as firewalls and validation of electronic signatures. S-HTTP maintains end-to-end secure transactions encompassing cryptographic enhancements that are used for the transfer of data at an application layer. It also includes the public-key cryptography from the RSA data security cipher to support shared secret password and Kerberos-based security systems. S-HTTP allows the Internet users to access the merchant's Website and provides the user's 220 CU IDOL SELF LEARNING MATERIAL (SLM)
credit card number to their Web browsers. When S-HTTP encrypts the user's card number, the encrypted files are sent to the merchant. After decrypting the files, SHTTP transmits the file to the user's browser to confirm the digital signatures. SHTTP extends the HTTP internet protocol with public key encryption, authentication, and digital signature over the internet. Secure HTTP supports multiple security mechanism, providing security to the end-users. SHTTP works by negotiating encryption scheme types used between the client and the server. Secure Electronic Transaction (SET) It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is the best security protocol. It has the following components − Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make secure purchases online via point and click interface. Merchant Software −this software helps merchants to communicate with potential customers and financial institutions in a secure manner. Payment Gateway Server Software − Payment gateway provides automatic and standard payment process. It supports the process for merchant's certificate request. Certificate Authority Software −this software is used by financial institutions to issue digital certificates to card holders and merchants, and to enable them to register their account agreements for secure electronic commerce. Levels of Validations The various levels of validations of an SSL (Secure Sockets Layer) Certificate. Some of the most important ones are as follows − Domain Validation SSL Certificate − It validates the domain that is registered by a system administrators and they have administrator rights to approve the certificate request, this validation generally is done by email request or by a DNS record. Organization Validated SSL Certificates − It validates the domain ownership and also the business information like the Official Name, City, Country, etc. This validation is done by email or DNS record entering and the certificate authority would also need some genuine documents to verify the Identity. Extended Validation SSL Certificates − It validates domain ownership and organization information, plus the legal existence of the organization. It also validates that the organization is aware of the SSL certificate request and approves it. The validation requires documentation to certify the company identity plus a set of 221 CU IDOL SELF LEARNING MATERIAL (SLM)
additional steps and checks. The Extended Validation SSL Certificates are generally identified with a green address bar in the browser containing the company name. 12.4 MEASUREMENT E-SECURITY TOOLS SecurityTools: Thesections discuss someoftoolsthatareavailabletotheplanner. SecureTransportStacks: The internetwasthe transportcontrolprotocolTCP/IPas the primary networkprotocol. TheIPpacketconsistsofa32bitsourceanddestinationaddress. Mostusersaccesstheinternetviaagraphicalinterface. WebbrowsersuchorNetscapeNavigatorspyglassenhancemosaic (or)Microsoftexplorecommunicatewithawebserverbymeansof HTTP. Twomostprominent Secure sockets layerSecureHTTP(S-HTTPS) Kerberos Kerberosprovidesanauthenticationmeansinanopen(UNprotected)network. Servicebyusingconventional(Sharedsecretkey)Cryptography ItisdevelopedasapartoftheInstitute oftechnologyproject.Adistributed system servicerunningontherunningonthecomputernetwork. DesignprinciplesofKerberos: Bothonewayandtwowayauthenticationsupported. Transmittingwhenencryptedpassword(cleartext)overaNetwork. NoUnencryptedpasswordshouldbestaredinthedata’s. Memoryforthesharedtimepossiblethelengthoftheuserscurrentloginsession. KerberosAuthenticationProcess ClientsendsarequesttotheauthenticationserverrequestingCredentialsforagivenserver. Thecredentialsconsistofthefollowing. Aticketfortheserver Atemporaryencryptionkey(oftencalledasessionkey). Securetransactionusertheinternet: Itisaneedforworkedsecuretransactionmechanismfortransactionprocessingaccesstheinte rnet. 222 CU IDOL SELF LEARNING MATERIAL (SLM)
UsepublickeyencryptionwellasRSAcryptographytechniques. UNIXSecurity UNIXprovidesvariousbuiltinsecurityfeatures.Suchasuserpasswordfileaccessdirectorya ccess,fileencryptionandsecurityonpasswordfiles. Websupport(or)moregenerallyforFTP(or)relatedsupport. Eightcharacterpasswordsforuser.UserpasswordisgenerallyencryptedusingtheDESalgor ithm. PasswordSecurity Passwordandpasswordinformation’sfilesisoftenthetargetformanyattackers. Loginattemptsshouldbelimitedtotheiraslesstires. Passwordsecurityisonlyasgoodasthepassworditself. Onetimepassword Thisisaccomplishedviaanauthenticationscheme. Thereareseveralwaystoimplementonetimepassword. Smart Cards: Asmartcardisaportabledevicethatcontainssomenon-volatilememory&amicroprocessor. Somesmartcardsallowuserstoenterpersonalidentificationnumber(PIN)code. Electronicmail E-mailisoneofmostwidelyusedformsofcommunicationover totheinternet. Itisasimplemailtransferprotocol (SMTP). Providesinter-machinee-mailtransfer services The content of the message itself is usually in plain text formatthereisamulti of encryptionsystemavailable. Itisprivacyenhancedelectronicmail(PEM). Anonym’sremailersprovideaservicethatforwardsauser’smailmessageontothedestinationaddres sbut without disclosing thereturnaddressofthesender. Example [email protected] nc@[email protected] PrivacyEnhancedMail: Usedtosende-mailandhowitautomaticallyencrypted. PEM- It is supportsconfidentialityoriginalauthentication,messageintegrityandnon- repudiationoforigins MIC-Message Integrity CodeMIConly. PrettyGoodPrivacy(PGP): 223 CU IDOL SELF LEARNING MATERIAL (SLM)
PGPisanactualprogramthathasbecomethedefactsstandardontheinternetfor electronicmail. MultipurposeInternetmailExtensions Textual massager exchanged on the internet. Many types of recognizable non ASCII data. MIME–enclosedmessages. Thereisapotentialforthedownloadobjecttobedistributedtoauser’sPConceexecuted. Serversecurity: ManyofthewebbrowserallowusertosavetheHTMLsourcecodeusedtocreatethewebpagesthatare viewed. Filenameofrespectivegraphics,videoprogramsandhyperlinksthatwouldbeexecutedclickingonth ewebpageitems. TrustingBinaries: Securitydoesnotendwiththevariousfileswellandbrowsersecurityproductsavailable. Account the issue of trusting executable.Binariesatbothendsmustbe secureaswell. E-SecurityTools: Thetoolswhichareusedtosecuree-commerceare: Firewalls-hardwareandsoftware DigitalSignatures DigitalCertificates Passwords Publickeyinfrastructure EncryptionSoftware Biometrics-retinalscan,fingerprints,voice,etc. Locks&Bars Different issues of E-Commerce security system An Internet-based E-commerce application, a developer must consider the various issues that will arise if the problems are not handled on time. Security is a very important aspect of any Web application; therefore, if a developer does not consider points of security, the application might fail to deliver the desired services to its full potential. On the Internet, buyers are always concerned about their social security number and credit card details. Other than E- commerce security, there are some other issues, which are as follows: Security issues General issues 224 CU IDOL SELF LEARNING MATERIAL (SLM)
Legal issues Security Issues: Security on the Internet means protection of unauthorized access of different users using the common E-commerce applications. Extra efforts must be made to develop an application that is designed in such a way that the users can perform only those actions that are allowed to them. The various aspects of security that must be given special importance are as follows: • Privacy is the most important feature required by a Web-based \"\"E-commerce system and is handled by encryption of data. In Public Key Infrastructure (PKI), a message is encrypted by a public key that is widely distributed and decrypted by a private key that is only held by the recipient for the identification of the sender. Banks and governments generally use such procedures to encrypt mails. • Digital signatures and certificates are used to verify buyers and E-merchants. The certification authority issues some digital documents to E-merchants and Web servers for their unique identification. A hash function is used to generate a value, which is known as message digest and sent to the recipient along with encrypted plain text and public key. The private key of the recipient is used to decrypt the information. Secure Socket Layers (SSL) uses the above two methods to ensure privacy and authentication. For this purpose, WWW uses different protocols to transfer the data in the form of packets by different routes. In this procedure, the client sends a message to die server that replies with a digital certificate using different methods such as create session keys for client negotiation and transmission of data for maintaining the security of the data. • Peripheral Component Interconnect (PCI), Secure Electronic Transaction (TSET), firewalls and Kerberos protocols are used to protect the information from hackers and outsiders. Some credit cards use SET for providing privacy of information to the users of Web-based E- commerce. Firewalls are used to protect the information stored in a Website from viruses and malices. The kerberos protocol is used as a symmetric secret key for the cryptography of information to restrict unauthorized access. • Transactions are also used to maintain Lie privacy of sensitive information. In transactions, the credit card details of the buyer must be handled with digital certification of the SSL server on the E-merchant end using complex security gateway for the payment process in the bank. After that, the details of the order and the buyer are supplied to the buyer. General issues There are some general issues that should be considered for Web-based E-commerce systems. These issues are as follows: 225 CU IDOL SELF LEARNING MATERIAL (SLM)
• Inventory control is used to track the quantity of items in the stock and maintain the files of the stock. • Payment process should be done using special services such as PayPal and 2CheckOut. These services provide the whole information except the payment information to the buyer. • Shipping cost can also affect WWW/Internet-based E-commerce, so there should be effective policies for delivering goods. If a company can afford the shipping cost of the item, then it must be paid by the company as it helps impress the buyers. If there are no possibilities of paying the shipping cost by the company itself, then the sellers must tell the buyers about the extra amount needed for delivering the item. Legal issues: For the Web-based E-commerce system, the legal issues must be considered while taking decisions to handle risks. The legal issues are as follows: • Trademark is used to identify a corporation or a company. Any word, sentence, symbol or design is used as a trademark. According to common law of business, the “®” symbol indicates a registered mark. Use of this mark as a trademark is illegal. In Web-based E- commerce, a unique domain name must be registered as a trademark or service mark of a company to avoid confusion in the mind of the buyer. • Copyright is used to protect the content published on Websites. Copyright includes some special rights of the copyright owner such as the exclusive right to modify a copy of the published content, to distribution the contents of the Websites and perform or display the work publicly. A Website owner must give warranty or license with the item or the service to the buyer. Issues in using Web-based E-commerce: There are a number of problems related to time, improvement, budget and the techniques used in Web-based E-commerce as discussed below: • Web-based E-commerce always depends on the speed of the Internet. If the speed of the Internet is too slow, the buyers can be bored or exhausted while waiting for the process to complete. • In Web-based E-commerce, the users face problems to upgrade the process and the versions of the software due to the change in using different versions of application software. • The cost of Web-based E-commerce has increased due to the changes done in the source code re-do of all modification of the application and due to the organization of the delivery chain. It is very difficult to handle complaints and queries of buyers and satisfy them by providing 226 CU IDOL SELF LEARNING MATERIAL (SLM)
full information about the goods. • Some problems related to EDI, Extended Markup Language (XML) and transparency may occur in WWW/Internet-based E-commerce. 12.5 SUMMARY E-Commerce Security deals with the protection of E-commerce assets such as computers and networks from unauthorized access, use, alteration ordistribution. Anything that can cause danger to the e-commerce assets are considered to bethreats.Systemsthatareconnectedtotheinternetarethetargetsfordestruction/tamperingo fthedatastoredinthem. Certainthreatsmayresultinseverefinanciallossandothersmayresultin loss of reputation to an individual and to an organization. With the growing internet use, suchincidents would result in loss of trust in computer and networks and also decline the growth ofpublic confidence ininternet. Customer will lose faith in e- business if its security is compromised. E-Commerce Security deals with the protection of E- commerce assets such as computers and networks. Systems that are connected to the internet are the targets for destruction / tampering of the data stored in them. In 1990, WWW was established to share distributed information amongst individuals. S-HTTP is a secure extension of HTTP that is developed by the Commerce Net consortium. SSL and SHTTP are two secure transport protocols that are required for exchanging information on the Internet in a secure way. The protocol, SSL is used to provide privacy and confirmation with the help of SSL and electronic certificates. A separate card known as Peripheral Component Interconnect (PCI) can also be used with SSL to provide security in electronic transactions. This card uses PKI and digital certificates for the privacy and authentication purposes. Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised. Following are the essential requirements for safe e-payments/transactions. Information should be encrypted and decrypted only by an authorized user. Secure Hypertext Transfer Protocol (S-HTTP) and SSL are two secure transport protocols that are required for exchanging information between buyer and merchant on the Internet in a secure and safe way. Both S-HTTP as well as SSL protocols is responsible for transferring data between a user and a server in an encrypted form. S-HTTP is a secure extension of HTTP that is developed by the Commerce Net consortium. It provides services such as firewalls and validation of electronic signatures. SHTTP extends the HTTP internet protocol with public key encryption, 227 CU IDOL SELF LEARNING MATERIAL (SLM)
authentication, and digital signature over the internet. The internet was the transport control protocol TCP/IP as the primary network protocol. Most users access the internet via a graphical interface. Kerberos provides an authentication means in an open (UN protected) network. It is developed as a part of the Institute of technology project. Security does not end with the various files well and browser security products available. Binaries at both ends must be secure as well. E-commerce tools which are used to secure e-commerce are: Firewalls-hardware and software. Security on the Internet means protection of unauthorized access of different users using the common E-commerce applications. Extra efforts must be made to develop an application that is designed in such a way that the users can perform only those actions that are allowed to them. Privacy is the most important feature required by a Web-based \"\"E-commerce system. There are some general issues that should be considered for Web-based E-commerce systems. Payment process should be done using special services such as PayPal and Checkout. Shipping cost can also affect WWW/Internet-based e-commerce, so there should be effective policies for delivering goods. Legal issues must be considered while taking decisions to handle risks in Web-based E-commerce. Trademark is used to identify a corporation or a company; use of this mark as a trademark is illegal. A website owner must give warranty or license with the item or the service to the buyer. 12.6 KEYWORDS Security Certificates: Security certificate is a unique digital id used to verify the identity of an individual website or user. SHTTP: The extends the HTTP internet protocol with public key encryption, authentication, and digital signature over the internet. HTTP: Itsupports multiple security mechanism, providing security to the end-users. Digital Wallet Software: Digital Wallet allows the card holder to make secure purchases online via point and click interface. Payment Gateway Server Software: ThePayment gateway provides automatic and standard payment process. It supports the process for merchant's certificate request. Public Key Infrastructure (PKI):A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. Extended Markup Language (XML): Extensible Markup Language (XML) is a programming language commonly used by data-exchange services (like blog feeds) to 228 CU IDOL SELF LEARNING MATERIAL (SLM)
send information between otherwise incompatible systems. Secure Electronic Transaction (TSET): Secure electronic transaction was used to facilitate the secure transmission of consumer card information via electronic portals on the internet. 12.7LEARNING ACTIVITY 1. Define SSL? ___________________________________________________________________________ ___________________________________________________________________________ 2. Explain about general threats to E-Commerce Security System? ___________________________________________________________________________ ___________________________________________________________________________ 12.8 UNIT END QUESTIONS A. Descriptive Questions Short Questions 1. What you mean by internet security? 2. State the fundamentals of computer security system? 3. Write Short note on SHTTP? 4. Define SSL? 5. Explain the measure security system? Long Questions 1. What are the Security methods of E-Commerce? 2. Describe the internet security protocol? 3. Discuss the measurement of E-Security tools? 4. Explain the web based issues in E-Commerce security? 5. Elaborate the details about different issues of E-Commerce security? B. Multiple Choice Questions 1. Which of the following is not a strong security protocol? a. HTTPS b. SSL c. SMTP 229 CU IDOL SELF LEARNING MATERIAL (SLM)
d. SFTP 230 2. HTTPS is abbreviated as _________ a. Hypertexts Transfer Protocol Secured b. Secured Hyper Text Transfer Protocol c. Hyperlinked Text Transfer Protocol Secured d. Hyper Text Transfer Protocol Secure 3. SSL primarily focuses on _______ a. integrity and authenticity b. integrity and non-repudiation c. authenticity and privacy d. Confidentiality and integrity 4. Why did SSL certificate require in HTTP? a. For making security weak b. For making information move faster c. For encrypted data sent over HTTP protocol d. For sending and receiving emails unencrypted 5. PCT is abbreviated as ________ a. Private Connecting Technology b. Personal Communication Technology c. Private Communication Technique d. Private Communication Technology Answers 1-c, 2-d, 3-a. 4-c, 5-d 12.9 REFERENCES Reference books • JaiswalS.,E-Commerce • MohammadMahmoudiMaymand,E-Commerce CU IDOL SELF LEARNING MATERIAL (SLM)
• MurthyC.S.V.,E-Commerce-Concepts,ModelsandStrategies • Schneider, E-Commerce, Cengage Learning, New Delhi. • PeeLosuin&AMurphy,ElectronicCommerceJaicoPub Textbook references • JosephP.T.,E-Commerce–AnIndianPerspective • RaviKalkotaFrontiersofE-Commerce,AddisonWesley • K.Bajaj & D.Nag E-Commerce, The Cutting Edge of Business, Tata McGraw • Green Stein ElectronicCommerceTata McGraw. Website • https://www.cleverism.com/e-commerce-complete-guide • https://www.economicsdiscussion.net/business/e-commerce/31868 231 CU IDOL SELF LEARNING MATERIAL (SLM)
UNIT - 13: ELECTRONICCOMMERCETHREATS STRUCTURE 13.0 Learning Objectives 13.1 Introduction 13.2 E-Commerce threats 13.3 Types of Encryption 13.4 Digital Signature and Digital Certificate 13.5 Summary 13.6 Keywords 13.7 Learning Activity 13.8 Unit End Questions 13.9 References 13.0 LEARNING OBJECTIVES After studying this unit, you will be able to: Describe the E-Commerce Threats Minimize the threats used for technique State the benefits digital signature Create a digital certificate and signature List the types of digital signature 13.1 INTRODUCTION E-Commerce Threats Anything with the capability, technology, opportunity and intent to do harm is calledthreat. Potential threatscan beforeignor domestic, internal orexternal, state-sponsoredorasingle rogue element. Terrorists, insiders, disgruntled employees and hackers are included in thisprofile. E-commerce threatscanbeclassifiedintothe following categories; 1. Intellectualpropertythreats: The useexistingmaterialsfoundontheInternetwithouttheowner'spermission,e.g.,musicdownloadi ng,domainname(cybersquatting),softwarepirating 2. Clientcomputerthreats Trojanhorse Activecontents Viruses 3. Communicationchannelthreats 232 CU IDOL SELF LEARNING MATERIAL (SLM)
Snifferprogram Backdoor Spoofing Denial-of-service 4. Serverthreats Privilegesetting ServerSideInclude(SSI),CommonGatewayInterface(CGI) Filetransfer Spamming Procedurethatrecognizes,reduces,oreliminatesathreat 1. Intellectualproperty protection Legislature Authentication 2. Clientcomputerprotection Privacy--Cookieblockers;Anonymizer Digitalcertificate Browserprotection Antivirussoftware Computerforensicsexpert 3. Communicationchannelprotection Encryption Public-keyencryption(asymmetric)vs.Private-keyencryption(symmetric) Encryptionstandard:DataEncryptionStandard(DES),AdvancedEncryptionStandard (AES) Protocol SecureSocketsLayer(SSL) SecureHypertextTransferProtocol(S-HTTP) Digitalsignature: Bindthemessageoriginatorwiththeexactcontentsofthemessage Ahashfunctionisusedtotransformmessagesintoa128-bitdigest(messagedigest). Thesender’sprivatekey isusedtoencryptthemessagedigest(digitalsignature) Themessage+signaturearesenttothereceiver Therecipientusesthehashfunctiontorecalculatethemessagedigest Thesender’spublickey isusedtodecryptthemessagedigest Checktoseeiftherecalculatedmessagedigest=decryptedmessagedigest 4. Serverprotection Accesscontrolandauthentication 233 CU IDOL SELF LEARNING MATERIAL (SLM)
1. Digitalsignaturefromuser 2. Usernameandpassword 3. Accesscontrollist Firewalls InternationalComputerSecurityAssociation'sclassification 1. Packetfilterfirewall:checksIPaddressofincomingpacketandrejectsanythingthatdoes notmatchthe listoftrustedaddresses(pronetoIPspoofing) 2. Application- levelproxyserver:ExaminestheapplicationusedforeachindividualIPpacket (e.g.,HTTP, FTP)toverifyits authenticity. 3. Statefulpacketinspection:ExaminesallpartsoftheIPpackettodeterminewhetheror nottoacceptorrejecttherequestedcommunication. 13.2 E-COMMERCE THREATS E-Commerce – Threats Major threats to present day e-commerce may be listed thus: i. Money Thefts E-commerce services are about transactions, and transactions are very largely driven by money. This attracts hackers, crackers and everyone with the knowledge of exploiting loopholes in a system. Once a kink in the armor is discovered, they feed the system (and users) with numerous bits of dubious information to extract confidential data (phishing). This is particularly dangerous as the data extracted may be that of credit card numbers, security passwords, transaction details etc. Also, Payment gateways are vulnerable to interception by unethical users. Cleverly crafted strategies can sift a part or the entire amount being transferred from the user to the online vendor. ii. Identity thefts Hackers often gain access to sensitive information like user accounts, user details, addresses, confidential personal information etc. It is a significant threat in view of the privileges one can avail with a false identity. For instance, one can effortlessly login to an online shopping mart under a stolen identity and make purchases worth thousands of dollars. He/she can then have the order delivered to an address other than the one listed on the records. One can easily see how those orders could be received by the impostor without arousing suspicion. While the fraudsters gains, the original account holder continues to pay the price until the offender is nabbed. iii. Threats to the system Viruses, worms, Trojans are very deceptive methods of stealing information. Unless a sound virus-protection strategy is used by the ecommerce Solutions firm, these malicious agents can compromise the credibility of all ecommerce web solution services. Often planted by individuals for reasons known best to them alone, viruses breed 234 CU IDOL SELF LEARNING MATERIAL (SLM)
within the systems and multiply at astonishing speeds. Unchecked, they can potentially cripple the entire system. The following precautionary steps might prove to be helpful: i. Authentication: Most notable are the advances in identification and elimination of non-genuine users. E- commerce service designers now use multi-level identification protocols like security questions, encrypted passwords (Encryption), biometrics and others to confirm the identity of their customers. These steps have found wide favour all around due to their effectiveness in weeding out unwelcome access. ii. Intrusion Check: The issue of tackling viruses and their like has also seen rapid development with anti-virus vendors releasing strong anti-viruses. These are developed by expert programmers who are a notch above the hackers and crackers themselves. Firewalls are another common way of implementing security measures. These programmes restrict access to and from the system to pre-checked users/access points. iii. Educating Users: E-commerce is run primarily by users. Thus, E-commerce service providers have also turned to educating users about safe practices that make the entire operation trouble free. Recent issues like phishing have been tackled to a good extent by informing genuine users of the perils of publishing their confidential information to unauthorized information seekers. E-Commerce Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest. Software attacks means attack by Viruses, Worms, and Trojan Horses etc. Many users believe that malware, virus, worms, bots are all same things. But they are not same, only similarity is that they all are malicious software that behave differently. Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software that can be an intrusive program code or a anything that is designed to perform malicious operations on system. Malware can be divided in 2 categories: Infection Methods Malware Actions Malware on the basis of Infection Method are following: Virus: They have the ability to replicate themselves by hooking them to the program on the host computer like songs, videos etc. and then they travel all over the Internet. The Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus etc. 235 CU IDOL SELF LEARNING MATERIAL (SLM)
Worms: Worms are also self-replicating in nature but they don’t hook themselves to the program on host computer. Biggest difference between virus and worms is that worms are network aware. They can easily travel from one computer to another if network is available and on the target machine they will not do much harm, they will for example consume hard disk space thus slowing down the computer. Trojan: The Concept of Trojan is completely different from the viruses and worms. The name Trojan derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the inside. Their purpose is to conceal themselves inside the software that seem legitimate and when that software is executed, they will do their task of either stealing information or any other purpose for which they are designed. They often provide backdoor gateway for malicious programs or malevolent users to enter your system and steal your valuable data without your knowledge and permission. Examples include FTP Trojans, Proxy Trojans, and Remote Access Trojans etc. Bots: It can be seen as advanced form of worms. They are automated processes that are designed to interact over the internet without the need of human interaction. They can be good or bad. Malicious bot can infect one host and after infecting creates connection to the central server which will provide commands to all infected hosts attached to that network called Botnet. Malware on the basis of Actions: Adware – Adware is not exactly malicious, but they do breach privacy of the users. They display ads on computer’s desktop or inside individual programs. They come attached with free to use software, thus main source of revenue for such developers. They monitor your interests and display relevant ads. An attacker can embed malicious code inside the software and adware can monitor your system activities and can even compromise your machine. Spyware – It is a program, or we can say a software that monitors your activities on computer and reveal collected information to interested party. Spyware are generally dropped by Trojans, viruses or worms. Once dropped they installs themselves and sits silently to avoid detection. One of the most common example of spyware is KEYLOGGER. The basic job of key logger is to record user keystrokes with timestamp. Thus, capturing interesting information like username, passwords, credit card details etc. Ransom ware – It is type of malware that will either encrypt your files or will lock your computer making it inaccessible either partially or wholly. Then a screen will be displayed asking for money i.e. ransom in exchange. 236 CU IDOL SELF LEARNING MATERIAL (SLM)
Scare ware – It masquerades as a tool to help fix your system but when the software is executed it will infect your system or completely destroy it. The software will display a message to frighten you and force to take some action like pay them to fix your system. Rootkits – are designed to gain root access or we can say administrative privileges in the user system. Once gained the root access, the exploiter can do anything from stealing private files to private data. Zombies – They work similar to Spyware. Infection mechanism is same, but they don’t spy and steal information rather they wait for the command from hackers. Theft of intellectual property means violation of intellectual property rights like copyrights, patents etc. Identity theft means to act someone else to obtain person’s personal information or to access vital information they have like accessing the computer or social media account of a person by login into the account by using their login credentials. Theft of equipment and information is increasing these days due to the mobile nature of devices and increasing information capacity. Sabotage means destroying company’s website to cause loss of confidence on part of its customer. Information extortion means theft of company’s property or information to receive payment in exchange. For example,ransom ware may lock victims file making them inaccessible thus forcing victim to make payment in exchange. Only after payment victim’s files will be unlocked. These are the old generation attacks that continue these days also with advancement every year. Apart from these there are many other threats. Below is the brief description of these new generation threats. Technology with weak security – With the advancement in technology, with every passing day a new gadget is being released in the market. But very few are fully secured and follows Information Security principles. Since the market is very competitive Security factor is compromised to make device more up to date. This leads to theft of data/ information from the devices Social media attacks – In this cyber criminals identify and infect a cluster of websites that persons of a particular organisation visit, to steal information. Mobile Malware –There is a saying when there is a connectivity to Internet there will be danger to Security. Same goes to Mobile phones where gaming applications are designed to lure customer to download the game and unintentionally, they will install malware or virus in the device. 237 CU IDOL SELF LEARNING MATERIAL (SLM)
Outdated Security Software – With new threats emerging every day, updating in security software is a pre requisite to have a fully secured environment. Corporate data on personal devices – These days every organization follows a rule BYOD. BYOD means bring your own device like Laptops, Tablets to the workplace. Clearly BYOD pose a serious threat to security of data but due to productivity issues organizations are arguing to adopt this. Social Engineering – is the art of manipulating people so that they give up their confidential information like bank account details, password etc. These criminals can trick you into giving your private and confidential information or they will gain your trust to get access to your computer to install a malicious software- that will give them control of your computer. For example, email or message from your friend that was probably not sent by your friend. Criminal can access your friend’s device and then by accessing the contact list he can send infected email and message to all contacts. Since the message/ email is from a known person recipient will definitely check the link or attachment in the message, thus unintentionally infecting the computer. How to minimize the threats Performariskassessment:Alistofinformationassetsandtheirvaluetothefirm. Developasecuritypolicy:Awrittenstatementon: Whatassetstoprotectfromwhom? Whytheseassetsarebeingprotected? Whoisresponsibleforwhatprotection? Whichbehavioursareacceptableandunacceptable? Developanimplementationplanàasetofactionstepstoachievesecuritygoals Createasecurity organizationàaunittoadministerthesecurity policy Performasecurityauditàaroutinereviewofaccesslogsandevaluationofsecurityprocedures. Besides,thetablebelowoutlinessomeofthemoreprominentInternetsecuritythreatsand measures to betakento protect them. TABLE 13.1 Internetsecuritythreats andmeasures Nat Measuresofprotection ureo fThr EffectofThreat eat 238 CU IDOL SELF LEARNING MATERIAL (SLM)
Avirusisapieceofcodethat,whenloadedontoacomput Anti- er,iscapableofattachingitselftootherfilesandrepeated Virussoftwareprotectsagainstinfe lyreplicatingitself,usuallywithoutuserknowledge.So ction. You can also subscribe to mevirusescanliedormantuntilactivatedbyatrigger aVirus Alert mailing list (for such as a date (for example, 'time-bomb'). example,AusCERT,www.auscert Viru .org.au). s Exercisecautionwithunsolicitede mails,especiallyiftheyhaveattach ments.Whenindoubt,delete.Avoid havingthepreviewpaneopenwhen using email. Awormisaspecializedtypeofvirus.The most MostAnti- common form, an email Virussoftwarewillstopworms or macrovirus,occursasanattachmenttoanemail.Openin help fixthe computer gtheemailmessageactivatestheworm,whichthensend afterinfection. Exercise other Wor sitselftoeveryaddressinyouraddressbook. precautionarymeasuresasforvirus m esgenerally. A Trojan Horse is another type of MostAnti- virus,whichcarriesunauthorizedsoftwareorvirusesto VirussoftwarewillstopTrojanHor yourcomputer.Somefreesoftware,sharewareorgames sevirusesorhelpfixthecomputer downloadedfromtheInternetmaycontainTrojanHorse after infection. Exercise Troj viruses.Becautious of accepting email otherprecautionarymeasuresasfor anH attachments,especiallyexecutablefilesendingwith'.e virusesgenerally. orse xe'. DoSattackscanrenderInternet- Anti- Deni connectedcomputersandnetworksunusable,mainlyb DoSattacksoftwareprogramsarea alof yoverloadingcomputerswithmessages.DoSattacksar vailabletoassistinsecuringnetwor Serv epopularwithhackersandcandenyusers access toa ks. ice( website. DoS 239 CU IDOL SELF LEARNING MATERIAL (SLM)
) attac k Port scanning identifies 'open doors' to Firewalls(specificnetworkservers acomputer(vulnerabilitieswhichmayprovide a point and/or routers that filter out of access by hackers). Acomputer's port is scanned unwantedpackets of data) can because this protect istheplacewhereinformationtravelstoandfromtheco computersandserversfromportsca Port mputer.Portscanningcan unnecessarily increase nning.Firewallscanbeusedtoprote Scan your Internetusage and associated costs by ctindividual PCs as well as ning increasingtheamountofdatatransmittedtoandfromyo networks ofcomputers. urcomputer. Sniff SniffersoftwareprogramstrackdatatravellingovertheI Ensure that no unauthorized erPr nternetorothernetworks. They can be used equipmentisconnectedtocompute ogra legitimatelyfor network management purposes, rsorthenetwork.Useencryptiontop m theycan also be used to steal unsecured dataand rotectsensitivecommunicationsac information. rossanetwork. Internet Dumping occurs when a To prevent dumping place a bar personloggedontotheInternethastheirmodem on connection to their usual dial-upnumber allcallsstartingwith1900onphones disconnected and reconnected toanother number - ervicesandexercisecautionindow either an nloadingandinstallingsoftwarefro Dum internationalnumberora1900(premiumrate)number.I m sites you do not trust. ping nmanycasespeoplearenotaware that they have been ComplaintscanbelodgedwiththeT dumped untilthey receive an unusually high phone elecommunications Industry billasaresultofthemodem'sre-connection. Ombudsmanatwww.tio.com.au. 13.3 ENCRYPTION Encryption – Process of converting electronic data into another form, called cipher text, which cannot be easily understood by anyone except the authorized parties. This assures data 240 CU IDOL SELF LEARNING MATERIAL (SLM)
security. Decryption– Process of translating code to data. Message is encrypted at the sender's side using various encryption algorithms and decrypted at the receiver's end with the help of the decryption algorithms. When some message is to be kept secure like username, password, etc., encryption and decryption techniques are used to assure data security. Types of Encryption Symmetric Encryption– Data is encrypted using a key and the decryption is also done using the same key. Asymmetric Encryption-Asymmetric Cryptography is also known as public key cryptography. It uses public and private keys to encrypt and decrypt data. One key in the pair which can be shared with everyone is called the public key. The other key in the pair which is kept secret and is only known by the owner is called the private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption. Public key– Key which is known to everyone. Ex-public key of A is 7, this information is known to everyone. Private key– Key which is only known to the person whose private key it is. Authentication-Authentication is any process by which a system verifies the identity of a user who wishes to access it. Non- repudiation– Non-repudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non- repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Integrity– To ensure that the message was not altered during the transmission. Message digest -The representation of text in the form of a single string of digits, created using a formula called a one way hash function. Encrypting a message digest with a private key creates a digital signature which is an electronic means of authentication. 13.4 DIGITAL SIGNATURE AND DIGITAL CERTIFICATE Digital Signature A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. 241 CU IDOL SELF LEARNING MATERIAL (SLM)
Key Generation Algorithms: Digital signatures are electronic signatures, which assures that the message was sent by a particular sender. While performing digital transactions authenticity and integrity should be assured, otherwise the data can be altered or someone can also act as if he was the sender and expect a reply. Signing Algorithms: To create a digital signature, signing algorithms like email programs create a one-way hash of the electronic data which is to be signed. The signing algorithm then encrypts the hash value using the private key (signature key). This encrypted hash along with other information like the hashing algorithm is the digital signature. This digital signature is appended with the data and sent to the verifier. The reason for encrypting the hash instead of the entire message or document is that a hash function converts any arbitrary input into a much shorter fixed length value. This saves time as now instead of signing a long message a shorter hash value has to be signed and moreover hashing is much faster than signing. Signature Verification Algorithms: Verifier receives Digital Signature along with the data. It then uses Verification algorithm to process on the digital signature and the public key (verification key) and generates some value. It also applies the same hash function on the received data and generates a hash value. Then the hash value and the output of the verification algorithm are compared. If they both are equal, then the digital signature is valid else it is invalid. The steps followed in creating digital signature are: 1. Message digest is computed by applying hash function on the message and then message digest is encrypted using private key of sender to form the digital signature. (Digital signature = encryption (private key of sender, message digest) and message digest = message digest algorithm (message)). 2. Digital signature is then transmitted with the message.(message + digital signature is transmitted) 3. Receiver decrypts the digital signature using the public key of sender. (This assures authenticity, as only sender has his private key so only sender can encrypt using his private key which can thus be decrypted by sender’s public key). 4. The receiver now has the message digest. 5. The receiver can compute the message digest from the message (actual message is sent with the digital signature). 6. The messages digest computed by receiver and the message digest (got by decryption on digital signature) need to be same for ensuring integrity. 7. Message digest is computed using one-way hash function, i.e. a hash function in which computation of hash value of a message is easy but computation of the message from hash value of the message is very difficult. Application of Digital Signature The important reason to implement digital signature to communication is: 242 CU IDOL SELF LEARNING MATERIAL (SLM)
Authentication Non-repudiation Integrity Authentication: Authentication is a process which verifies the identity of a user who wants to access the system. In the digital signature, authentication helps to authenticate the sources of messages. Non-repudiation: Non-repudiation means assurance of something that cannot be denied. It ensures that someone to a contract or communication cannot later deny the authenticity of their signature on a document or in a file or the sending of a message that they originated. Integrity: Integrity ensures that the message is real, accurate and safeguards from unauthorized user modification during the transmission. Algorithms in Digital Signature A digital signature consists of three algorithms: 1. Key generation algorithm: The key generation algorithm selects private key randomly from a set of possible private keys. This algorithm provides the private key and its corresponding public key. 2. Signing algorithm: A signing algorithm produces a signature for the document. 3. Signature verifying algorithm:A signature verifying algorithm either accepts or rejects the document's authenticity. How digital signatures work Digital signatures are created and verified by using public key cryptography, also known as asymmetric cryptography. By the use of a public key algorithm, such as RSA, one can generate two keys that are mathematically linked- one is a private key, and another is a public key. The user who is creating the digital signature uses their own private key to encrypt the signature-related document. There is only one way to decrypt that document is with the use of signer's public key. This technology requires all the parties to trust that the individual who creates the signature has been able to keep their private key secret. If someone has access the signer's private key, there is a possibility that they could create fraudulent signatures in the name of the private key holder. The steps which are followed in creating a digital signature are: Select a file to be digitally signed. 243 CU IDOL SELF LEARNING MATERIAL (SLM)
The hash value of the message or file content is calculated. This message or file content is encrypted by using a private key of a sender to form the digital signature. Now, the original message or file content along with the digital signature is transmitted. The receiver decrypts the digital signature by using a public key of a sender. The receiver now has the message or file content and can compute it. Comparing these computed message or file content with the original computed message. The comparison needs to be the same for ensuring integrity. Types of Digital Signature Different document processing platform supports different types of digital signature. They are described below: Figure 13.1 Types of digital signature Certified Signatures The certified digital signature documents display a unique blue ribbon across the top of the document. The certified signature contains the name of the document signer and the certificate issuer which indicate the authorship and authenticity of the document. Approval Signatures The approval digital signatures on a document can be used in the organization's business workflow. They help to optimize the organization's approval procedure. The procedure involves capturing approvals made by us and other individuals and embedding them within 244 CU IDOL SELF LEARNING MATERIAL (SLM)
the PDF document. The approval signatures to include details such as an image of our physical signature, location, date, and official seal. Visible Digital Signature The visible digital signature allows a user to sign a single document digitally. This signature appears on a document in the same way as signatures are signed on a physical document. Invisible Digital Signature The invisible digital signatures carry a visual indication of a blue ribbon within a document in the taskbar. We can use invisible digital signatures when we do not have or do not want to display our signature but need to provide the authenticity of the document, its integrity, and its origin. Digital Certificate Digital certificate is issued by a trusted third party who proves sender's identity to the receiver and receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the certificate holder. The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification information. Digital certificate is used to attach public key with a particular individual or an entity. Digital certificate contains:- Name of certificate holder. Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the certificate. Expiration dates. Copy of certificate holder's public key. (Used for decrypting messages and digital signatures) Digital Signature of the certificate issuing authority. Digital certificates are also sent with the digital signature and the message. Components of a Digital Certificate All these following components can be found in the certificate details Serial Number − Used to uniquely identify the certificate. Subject − the person, or entity identified. Signature Algorithm − the algorithm used to create the signature. Signature − the actual signature to verify that it came from the issuer. Issuer − the entity that verified the information and issued the certificate. Valid-From − the date the certificate is first valid from. 245 CU IDOL SELF LEARNING MATERIAL (SLM)
Valid-To − the expiration date. Key-Usage − Purpose of the public key (For example: decipherment, signature, certificate signing.). Public Key − the public key. Thumbprint Algorithm − the algorithm used to hash the public key certificate. Thumbprint − the hash itself, used as an abbreviated form of the public key certificate. Digital certificate vs Digital signature: Digital signature is used to verify authenticity, integrity, non-repudiation, i.e. it is assuring that the message is sent by the known user and not modified, while digital certificate is used to verify the identity of the user, maybe sender or receiver. Thus, digital signature and certificate are different kind of things, but both are used for security. Most websites use digital certificate to enhance trust of their users. TABLE 13.2 Digital certificate vs Digital signature Feature Digital Signature Digital Certificate Digital signature is like a Digital certificate is a file that ensures fingerprint or an attachment to a holder’s identity and provides security. digital document that ensures its Basics/ authenticity and integrity. Definition Process Hashed value of original It is generated by CA (Certifying /Steps message is encrypted with Authority) that involves four steps: sender’s secret key to generate Key Generation, Registration, the digital signature. Verification, and Creation. Authenticity of It provides security and authenticity of certificate holder. Security Sender, integrity of the Services document and non-repudiation. Standard It follows Digital Signature It follows X.509 Standard Format Standard (DSS). 246 CU IDOL SELF LEARNING MATERIAL (SLM)
Benefits of Digital Signatures Security is the main benefit of digital signatures. Security features and methods used in digital signatures include the following: Personal identification numbers (PINs), passwords and codes. Used to authenticate and verify a signer's identity and approve their signature. Email, username and password are the most common methods used. Asymmetric cryptography. Employs a public key algorithm that includes private and public key encryption and authentication. Checksum. A long string of letters and numbers that represents the sum of the correct digits in a piece of digital data, against which comparisons can be made to detect errors or changes. A checksum acts as a data fingerprint. Cyclic redundancies check (CRC). An error-detecting code and verification feature used in digital networks and storage devices to detect changes to raw data. Certificate authority (CA) validation. CAs issue digital signatures and act as trusted third parties by accepting, authenticating, issuing and maintaining digital certificates. The use of CAs helps avoid the creation of fake digital certificates. Trust service provider (TSP) validation. A TSP is a person or legal entity that performs validation of a digital signature on a company's behalf and offers signature validation reports. Timestamping. By providing the data and time of a digital signature, time stamping is useful when timing is critical, such as for stock trades, lottery ticket issuance and legal proceedings. Globally accepted and legally compliant. The public key infrastructure (PKI) standard ensures vendor-generated keys are made and stored securely. Because of the international standard, a growing number of countries are accepting digital signatures as legally binding. Time savings. Digital signatures simplify the time-consuming processes of physical document signing, storage and exchange, enabling businesses to quickly access and sign documents. Cost savings. Organizations can go paperless and save money previously spent on the physical resources and on the time, personnel and office space used to manage and transport them. Positive environmental impact. Reducing paper use also cuts down on the physical waste generated by paper and the negative environmental impact of transporting paper documents. Traceability. Digital signatures create an audit trail that makes internal record-keeping easier for business. With everything recorded and stored digitally, there are fewer opportunities for a manual signee or record-keeper to make a mistake or misplace something. Classes and Types of Digital Signatures 247 CU IDOL SELF LEARNING MATERIAL (SLM)
There are three different classes of digital signature certificates (DSCs): Class 1. Cannot be used for legal business documents as they are validated based only on an email ID and username. Class 1 signatures provide a basic level of security and are used in environments with a low risk of data compromise. Class 2. Often used for electronic filing (e-filing) of tax documents, including income tax returns and goods and services tax (GST) returns. Class 2 digital signatures authenticate a signer's identity against a pre-verified database. Class 2 digital signatures are used in environments where the risks and consequences of data compromise are moderate. Class 3. The highest level of digital signatures, Class 3 signatures requires a person or organization to present in front of a certifying authority to prove their identity before signing. Class 3 digital signatures are used for e-auctions, e-tendering, e-ticketing, court filings and in other environments where threats to data or the consequences of a security failure are high. Uses for Digital Signatures Industries use digital signature technology to streamline processes and improve document integrity. Industries that use digital signatures include the following: Government. The U.S. Government Publishing Office (GPO) publishes electronic versions of budgets, public and private laws, and congressional bills with digital signatures. Digital signatures are used by governments worldwide for a variety of reasons, including processing tax returns, verifying business-to-government (B2G) transactions, ratifying laws and managing contracts. Most government entities must adhere to strict laws, regulations and standards when using digital signatures. Many governments and corporations also use smart cards to ID their citizens and employees. These are physical cards endowed with a digital signature that can be used to give the cardholder access to an institution's systems or physical buildings. Healthcare. Digital signatures are used in the healthcare industry to improve the efficiency of treatment and administrative processes, to strengthen data security, for e-prescribing and hospital admissions. The use of digital signatures in healthcare must comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Manufacturing. Manufacturing companies use digital signatures to speed up processes, including product design, quality assurance (QA), manufacturing enhancements, marketing and sales. The use of digital signatures in manufacturing is governed by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) Digital Manufacturing Certificate (DMC). Financial services. The U.S. financial sector uses digital signatures for contracts, paperless banking, loan processing, insurance documentation, mortgages and more. This heavily regulated sector uses digital signatures with careful attention to the regulations and guidance put forth by the Electronic Signatures in Global and National Commerce Act (E-Sign Act), 248 CU IDOL SELF LEARNING MATERIAL (SLM)
state Uniform Electronic Transactions Act (UETA) regulations, the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC). Crypto currencies. Digital signatures are also used in bit coin and other crypto currencies to authenticate the block chain. They are also used to manage transaction data associated with crypto currency and as a way for users to show ownership of currency or their participation in a transaction. 13.5 SUMMARY The most common security threats are phishing attacks, money thefts, data misuse, hacking, credit card frauds, and unprotected services. Inaccurate management-One of the main reason for e-commercethreats is poor management. We can ensure the security of data transmitted over the Internet and the identity of each trading party is the key to the development of e-commerce. The key problem of e-commerce is security problems. This chapter focuses on digital signature technology in the application of e- commerce security issues, based on the core of a digital signature algorithm, which is a DSA algorithm idea. Combining specific business e-commerce applications. E-commerce threats can be classified into the following categories. Threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees and hackers are included in this profile. Procedure that recognizes, reduces, or eliminates a threat. Hackers often gain access to user accounts, user details, addresses, confidential personal information. Viruses, worms, Trojans are very deceptive methods of stealing information. Unless a sound virus-protection strategy is used, these agents can compromise the credibility of all ecommerce services. Malware is a combination of 2 terms- Malicious and Software. Virus: They have the ability to replicate themselves by hooking them to the program on the host computer. The name Trojan derived from the 'Trojan Horse' tale in Greek mythology. Malware can be good or bad. Bots are automated processes designed to interact over the internet without human interaction. Spyware monitors your activities on computer and reveals collected information to interested parties. Scare ware masquerades as a tool to help fix your system but when the software is executed it will infect your system. Theft of equipment and information is increasing these days due to the mobile nature of devices and increasing information capacity. With new threats emerging every day, updating in security software is a pre requisite to have a fully secured environment. These are the old generation attacks that 249 CU IDOL SELF LEARNING MATERIAL (SLM)
continue these days also with advancement every year. Social Engineering – is the art of manipulating people so that they give up their confidential information like bank account details, password etc. These criminals can trick you into giving your private and confidential information or they will gain your trust to install a malicious software- that will give them control of your computer. Be cautious of accepting email attachments, especially executable files ending with '.exe'. Most Anti-Virus software will stop Trojan horse viruses or help fix the computer after infection. Port scanning identifies 'open doors' to a computer (vulnerabilities which may provide access by hackers). Internet Dumping occurs when a person's dial-up connection is disconnected and reconnected to another number - either an international number or a 1900 (premium rate) number. Complaints can be lodged with the Telecommunications Industry Ombudsman at www.tio.com.au. Encrypting a message digest with a private key creates a digital signature which is an electronic means of authentication. Digital signatures are electronic signatures, which assures that the message was sent by a particular sender. This digital signature is appended with the data and sent to the verifier. Digital signatures are created and verified by using public key cryptography, also known as asymmetric cryptography. The user who is creating the digital signature uses their own private key to encrypt the signature-related document. There is only one way to decrypt that document is with the use of signer's public key. 13.6 KEYWORDS Encryption – Process of converting electronic data into another form, called cipher text, which cannot be easily understood by anyone except the authorized parties. This assures data security. Uniform Electronic Transactions Act (UETA):The Uniform Electronic Transactions Act (UETA) establishes the legal equivalence of electronic records and signatures with paper writings and manually-signed signatures, removing barriers to electronic commerce. Consumer Financial Protection Bureau (CFPB):The Consumer Financial Protection Bureau (CFPB) is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. Federal Financial Institutions Examination Council (FFIEC):The Council is a formal interagency body empowered to prescribe uniform principles, standards, and 250 CU IDOL SELF LEARNING MATERIAL (SLM)
Search
Read the Text Version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
