eCommerce

and Security Issues

Overview This is not a comprehensive discussion Idea is to make you aware about ecommerce and issues related to it History of eCommerce (Source: Wikipedia.com) The meaning of electronic commerce has changed over the last 30 years. Originally, electronic commerce meant the facilitation of commercial transactions electronically, using technology such as EDI and EFT. These were both introduced in the late 1970s, allowing businesses to send commercial documents like purchase orders or invoices electronically. The growth and acceptance of credit cards, automated teller machines (ATM) and telephone banking in the 1980s were also forms of electronic commerce. Another form of e-commerce was the airline reservation system typified by Sabre in the USA and Travicom in the UK. Online shopping was invented in the UK in 1979 by Michael Aldrich During the 1980s it was used extensively particularly by auto manufacturers such as Ford, Peugeot-Talbot, General Motors and Nissan. From the 1990s onwards, electronic commerce would additionally include enterprise resource planning systems (ERP), data mining and data warehousing. Although the Internet became popular worldwide in 1994, it took about five years to introduce security protocols and DSL allowing continual connection to the Internet. By the end of 2000, a lot of European and American business companies offered their services through the World Wide Web. Since then people began to associate a word "ecommerce" with the ability of purchasing various goods through the Internet using secure protocols and electronic payment services. India started using eCommerce roughly by 2002 onwards. eCommerce: Electronic commerce, commonly known as e-commerce or eCommerce, consists of the buying and selling of products or services over electronic systems such as the Internet and other computer networks. Modern electronic commerce typically uses the World Wide Web at least at some point in the transaction's lifecycle, although it can encompass a wider range of technologies such as e-mail as well. Electronic commerce is generally considered to be the sales aspect of e-business. It also consists of the exchange of data to facilitate the financing and payment aspects of the business transactions. Thus, eCommerce is the process of buying and selling or exchanging of products, services; and information via computer networks including the Internet. Electronic commerce that is conducted between businesses is referred to as business-to- business or B2B. B2B can be open to all interested parties (e.g. commodity exchange) or limited to specific, pre-qualified participants (private electronic market). Electronic commerce that is conducted between businesses and consumers, on the other hand, is referred to as business-to-consumer or B2C. This is the type of electronic commerce conducted by companies such as Amazon.com.
For Educational Purpose only. Vicky D. Shah Page 1 of 10

eCommerce and Security Issues

eCommerce Perspective: From a communications perspective, it is the delivery of information, products/services, or payments over telephone lines, computer networks, or any other electronic means. From a business process perspective, it is the application of technology to-ward the automation of business transactions and work flow. From a service perspective, it is a tool that addresses the desire of firms, consumers, and management to cut service costs while improving the quality of goods and increasing the speed of service delivery. From an online perspective, it provides the capability of buying and selling products and information on the Internet and other online services. Electronic data Interchange - EDI Developed in early 60s as means of accelerating the movement of documents pertaining to shipments and transportation. It is defined as electronic transfer from one computer to another of computer proccesable data using an agreed standard to structure the data. The National Institute of Standards and Technology in a 1996 publication defines Electronic Data Interchange as "the computer-to-computer interchange of strictly formatted messages that represent documents other than monetary instruments. Only when there is an error, or for quality review, and for special situations human intervention is allowed. Electronic Funds Transfer EFT It is defined as any transfer of funds initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. The term is used for a number of different concepts: Cardholder-initiated transactions, where a cardholder makes use of a payment card Direct deposit payroll payments for a business to its employees, possibly via a payroll services company Direct debit payments from customer to business, where the transaction is initiated by the business with customer permission Electronic bill payment in online banking, which may be delivered by EFT or paper check Transactions involving stored value of electronic money, possibly in a private currency Wire transfer via an international banking network (generally carries a higher fee) Payment System A payment system is a system (including physical or electronic infrastructure and associated procedures and protocols) used to settle financial transactions in market (bond markets, currency markets, futures, derivatives, etc or to transfer funds between financial institutions. E.G: Payment Gateway PayPal PaisePay CC Avenue
For Educational Purpose only. Vicky D. Shah Page 2 of 10

eCommerce and Security Issues

Intranet and Extranet An "intranet" is the generic term for a collection of private computer networks within an organization. Extranets are extended intranets connecting organizations, which may include personnel, customers, suppliers and strategic partners. An extranet is one way in which a firm can improve their offering and remain competitive. Intranets and extranets are communication tools designed to enable easy information sharing within workgroups. E. G Intranet: Many schools and non-profit groups have deployed intranets, but an intranet is still seen primarily as a corporate productivity tool. E.G Extranet: Allowing controlled access to an otherwise private company network enables business-to-business transactions and file sharing. Value Chain in eCommerce Primary Activities Identifying Customers Design Purchase Material & Supply Manufacturing Market & Sell Delivery of Products Providing after sale service and support Supporting Activities Finance & Administration Human Resource Developing Technology Elements Responsible - Success of eCommerce Finance Technology Team Back-office Strategic alliances Initial marketing efforts Competition Target audience Transaction Security Network Security Reliability Speed Brand Awareness Traffic Volumes Community Building and Stickiness
For Educational Purpose only. Vicky D. Shah Page 3 of 10

eCommerce and Security Issues

eCommerce Business Model Business Model - Type of Transaction Business to Business - B2B Business to Consumer - B2C Consumer to Consumer - C2C Business to Anyone - B2A Business Model Type of Operation Model 1, 2 and 3 under following categories 1) Product Information 2) Order Registration 3) Order Execution 4) Payment Collection Operations 1) Product Information 2) Order Registration 3) Order Execution 4) Payment Collection Business Model Type of connectivity Using EDI Connectivity - Governments Using VPN Connectivity - Private companies Using Internet Connectivity - For end users Business Model Revenue Subscription Revenue Model - Hosting services, etc Advertising Revenue Model - Google search engine, etc Commission Model - eBay, etc
For Educational Purpose only. Vicky D. Shah Page 4 of 10

Model A Online Online Online Online

Model B Online Online Offline Online

Model C Online Online Offline Offline

eCommerce and Security Issues

Application of eCommerce Email Enterprise content management Instant messaging Newsgroups Online shopping and order tracking Online banking Online office suites Domestic and international payment systems Shopping cart software Teleconferencing Electronic tickets Advantages of eCommerce Increased Profit Large Customer Base Increased purchasing opportunity for the customers Faster Transaction & Multiple Choices Improved & Easier Payment System Security Accessibility E-learning or Distant Education Disadvantages of eCommerce Non acceptance of eCommerce by Business Processes Technological Issues Scarcity of Potential Customers Cost Benefit Issue Software Issues Legal Issues E-Commerce Security Security Issues eCommerce Issues Risks Damage to site Key distribution, certificate authorities
For Educational Purpose only. Vicky D. Shah Page 5 of 10

eCommerce and Security Issues

Security Issues Confidentiality - No unauthorized person can view transaction Integrity - Information sent by the sender should be received as is to avoid ambiguity Availability - Information should be available 24x7 Authentication - Receiver should know who has sent the information and a acknowledgement must be made on receiving the data. Non Repudiation - Sender or receiver of the message cannot deny of sending and or receiving the message. Especially online payment related issues. E-Commerce Issues What are the threats to ecommerce sites? - Who are the likely attackers? - How do we defend, or at least minimise our losses E-Commerce security technology - SSL (https), certificates, certificate auth Theft from our bank account Not getting paid for a product - stolen credit card - dishonest customer repudiates purchase Damage to site (defacement, DoS) Theft of personal data about customers Damage to Site Deface web site - Obscene content, rude language on home page Crash web site - Distributed Denial of Service attacks - Hack into lots of computers on the net, get all of these to flood victim with packets or otherwise attempt to deny service - Difficult to stop Legal Issues Legal defense: due diligence o Show you have done used best available technology to protect data o Firewalls are good for this Not too effective, but judges/lawyers dont know this! so, need a firewall which looks impressive and costs money, it doesnt need to actually work Domain Name Issue Trademark & Copyright Issue Dispute Resolution
For Educational Purpose only. Vicky D. Shah Page 6 of 10

eCommerce and Security Issues

Risks Who pays if there is fraud o Customer? o Retailer (e-commerce site)? o Credit-card company? o Someone else? Business goal: risk is fine as long as someone else pays! Credit-card fraud Secure Servers Servers which use cryptographic protocols (such as SSL) so that net traffic is private and authenticated - credit card info cannot be read - shipping addresses cannot be changed Secure servers - There are easier ways of getting card numbers than net spying - CC receipts from recycle bin - bugging phones easier than tapping Web! Certificate Authorities Authenticate public keys by signing Emerging Technological Aspect mCommerce and Location Based Service o It is existing and there to stay eCommerce will be partially replaced by mCommerce More sophisticated and organized attacks anticipated 80% of the business would be online IT ACT 2000 Basic legal framework for E-Commerce to promote trust in electronic environment Acceptance of electronic documents as evidence in a court of law and Acceptance of electronic signatures E-Commerce and E-Governance as major applications through legal sanctity accorded to electronic records and digital signatures Acceptance of electronic documents by the government Defining of digital signatures based on asymmetric public key cryptography Establishment of Certifying Authorities to issue digital signature certificates for authentication of users in e-commerce & e-governance Amendments to the IT Act have addressed industrys concerns on data protection issues in that it creates an enabling legal environment in India that addresses breaches of confidentiality and integrity of data.
For Educational Purpose only. Vicky D. Shah Page 7 of 10

eCommerce and Security Issues

Encryption and Decryption and Digital Signature What is Cryptography? Science of secret (hidden) writing kryptos hidden graphen to write Encrypt / encipher Convert plaintext into ciphertext Decrypt / decipher Convert ciphertext into plaintext What is Digital Signature? A digital signature is an electronic means of authenticating an online identity A digital signature can: Authenticate the identity of the sender of a message or signer of a document Be used to ensure that the original content of the message is unchanged Traditional Paper Based Solution Confidentiality Envelopes Integrity Signatures, Watermarks, Authenticity Notaries, strong physical presence Non-repudiation Signatures, receipts, confirmations. Electronic Solution Confidentiality Data Encryption Authenticity Digital Signatures, Certificates Integrity Hash Algorithms, Message Digests, Non-Repudiation Digital Signatures, Audit Logs Requirements for Public Key Systems SECRECY of the private key - Must be known only to owner - Key ownership = Identity AVAILABILITY of the public key - Must be available to anyone - Requires a public directory
For Educational Purpose only. Vicky D. Shah Page 8 of 10

eCommerce and Security Issues

Certificate Authorities (CAs) A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates The CA signs its own certificate which is distributed in a trusted manner Retrieving Public Keys Public keys stored in repositories Keys can be retrieved on demand Certification Authorities (CAs) Users send keys to a Certification Authority. CA then generates a certificate for the user, and keeps a copy of it in certificate repository Registration Registration Authority (RA) - verification of user info - policy enforcement - no liability - only handles registration, not re-issuance, revocation, etc. - works with CA Registration can be local, or outsourced Business Implications of Digital Signature Commercial Entities: B2C B2B Non-commercial Entities: Government General Society Advantages of Digital Signature Prevent fraud Prevent unauthorized access of data Preserve data integrity Applications Contract signing Areas like: -Business transactions (e-commerce) -Banking -Insurance
For Educational Purpose only. Vicky D. Shah Page 9 of 10

eCommerce and Security Issues

Considerations Technological No common international standard. Any number of companies will say their digital-signature technology is the safest and best Security Security threat always exists Hackers are constantly finding loopholes or cracking codes Social Digital Divide Hitting the critical mass is important in getting the technology into use However, slow adoption of IT hinder Digital Signature from being widely used

For Educational Purpose only. Vicky D. Shah Page 10 of 10