Professional Documents
Culture Documents
Signature.
PROJECT ON
T0
Department of Electronics and Communication Engineering
Submitted by:
Sahil kalra
Fimt ,gurgaon
ACKNOWLEDGEMENT
I SAHIL KALRA , BBA (2th semester) student wants to give my heartiest thanks to Mr. VIJAY KUMAR,
AIR INDIA for his continuous support during my six week summer training at AIR INDIA. He gave his
helping hand whenever I faced any obstacle. I feel it is my proud privilege to express my most
sincere gratitude and indebtedness to Mr. VIJAY KUMAR who not only provide me technical help
but also spared his invaluable time in giving suggestions, comments through fruitful discussion me.
I would also like to thank General Manager of COMPUTER CENTER, AIR INDIA for allowing me to
have training under reputed people and in a very prestigious organization.
Sahil kalra
AIR INDIAS PROFILE
Air India is India's national flag carrier. Although air transport was born in India on February 18, 1911
when Henri Piquet, flying a Humber bi-plane, carried mail from Allahabad to Naini Junction, some six
miles away, the scheduled services in India, in the real sense, began on October 15, 1932. It was on
this day that J.R.D. Tata, the father of Civil Aviation in India and founder of Air India, took off from
Drigh Road Airport, Karachi, in a tiny, light single-engined de Havilland Puss Moth on his flight to
Mumbai (then known as Bombay) via Ahmedabad. He landed with his precious load of mail on a
grass strip at Juhu. At Mumbai, Neville Vintcent, a former RAF pilot who had come to India from
Britain three years earlier on a barn-storming tour, during which he had surveyed a number of
possible air routes, took over from J.R.D.Tata and flew the Puss Moth to Chennai (then Madras) via
Bellary.
In its ever-growing quest for providing direct services from various points in India, Air India currently
operates International Flights from Mumbai and 14 other Indian cities, viz. Ahmedabad, Amritsar,
Bangalore, Chennai, Delhi, Goa, Hyderabad, Kochi, Kolkata, Kozhikode, Lucknow, Varanasi, Gaya and
Thiruvananthapuram. Commencement of international operations from these cities has obviated, to
a very large extent, the need for passengers from these regions to necessarily travel to Mumbai and
Delhi, the traditional gateways, for taking international flights. Passengers boarding or deplaning in
these cities can now complete their immigration and custom formalities at their city airport, both at
the time of departure and arrival.
On the Domestic Front we operate to 62 stations out of which 17 are connected to our international
destinations. The 172-seater Airbus A321 aircraft connects all major metros, including all flights on
the Delhi-Mumbai sector. Spacious cabin, comfortable seats and the luxury of in-flight
entertainment make this a superior product that travellers look forward to. As more and more
A321s and A319s join the fleet, they will gradually replace the A320s which are currently deployed
on many domestic sectors. Convenient connectivity has been provided to/from major metros like
Chennai, Kolkata, Hyderabad and Bangalore for passengers booked on the Non Stop flights.
Increasing occupancy levels on the Non Stop flights is testimony to the popularity of this premium
product.
INDEX
1. Introduction..............................................................................................................................7
2. E-Commerce...........................7
2.1. Advantages of e-commerce.....................7
2.2. Disadvantages of e-commerce...................8
3. Models of e-commerce..............................................................................................................8
3.1. Business to Business model................................................................................................8
3.2. Business to Consumer model.............................................................................................9
3.3. Consumer to consumer model............................................................................................9
3.4. Consumer to Business model............................................................................................10
3.5. Government to consumer model......................................................................................10
3.6. Consumer to government model......................................................................................10
4. Components of e-commerce Credit..........................................................................................11
4.1. Credit card......................................................................................................................11
4.1.1. Parties involved in credit card network.................................................................11
4.1.2. Issue of card.........................................................................................................11
4.1.3. How credit card processing works.........................................................................12
4.1.4. Advantages of credit card.....................................................................................13
4.1.5. Disadvantages of credit card................................................................................14
4.2. Debit card........................................................................................................................15
4.2.1. Types of debit card transaction.............................................................................15
4.2.2. How debit card processing works..........................................................................16
4.2.3. Advantages of debit card......................................................................................16
4.2.4. Disadvantages of debit card.................................................................................17
4.3. P-commerce.....................................................................................................................17
4.3.1. Processing flow diagram.......................................................................................18
4.3.2. Sequence of transaction in manual credit-card payment.......................................19
5. Channels of e-commerce.........................................................................................................20
5.1. Internet banking..............................................................................................................20
5.1.1. Features of internet banking.................................................................................20
5.1.2. Parties involved in net-banking.............................................................................20
5.1.3. Transfer schemes of net-banking..........................................................................21
5.1.4. System security used in net-baking.......................................................................23
5.1.5. Application of net-banking in online shopping......................................................24
5.2. Payment gateway...........................................................................................................24
6. Information security in e-commerce........................................................................................25
6.1. Confidentiality.................................................................................................................25
6.2. Integrity..........................................................................................................................26
6.3. Availability......................................................................................................................26
7. How an attacker can target the network.................................................................................27
8. Defences against the attack to network..................................................................................28
9. Technology implemented to merchant site to ensure security in e-commerce..........................30
9.1. Firewalls..........................................................................................................................30
9.2. Digital certificates...........................................................................................................32
9.3. Encryption.......................................................................................................................34
9.4. Public key infra-structure.................................................................................................34
9.5. Authentication and authorization....................................................................................35
9.6. Non-repudiation..............................................................................................................37
9.7. Transport layer security/secure socket layer....................................................................37
9.8. Proxy server.....................................................................................................................39
9.9. Web server......................................................................................................................40
9.10. Anti-virus and anti-spam......................................................................................41
9.11. Spam filters..........................................................................................................43
9.12. IP security protocols.............................................................................................43
10. Technology implemented on customer site to ensure security.................................................44
10.1. Personal computer................................................................................................44
10.2. Virtual keyboard...................................................................................................44
10.3. Password protection.............................................................................................45
10.4. Authentication tools.............................................................................................46
10.5. Cookies.................................................................................................................47
10.6. Anti-virus and anti-spam......................................................................................48
10.7. Anti-spyware........................................................................................................48
10.8. Personal firewalls.................................................................................................48
11. Flow chart of security technologies.........................................................................................50
12. Summary of Technologies employed by both user and Merchant in Tabular form...................53
13. Study of comparison of e-commerce setup of Air-India and British-Airways............................54
13.1. Trust and response Time......................................................................................55
13.2. Content Management..........................................................................................56
13.3. E-commerce Platform...........................................................................................59
13.4. Privacy policy.......................................................................................................63
13.5. Security features..................................................................................................66
14. Comparison between airindia.com and britishairways.com in Tabular form...........................72
15. E-commerce status of some others websites...........................................................................73
15.1. Goindigo.com.......................................................................................................73
15.2. Makemytrip.com..................................................................................................74
16. Glossary of security Terms.......................................................................................................77
1. INTRODUCTION
Organisation start developing systems to carrying out business transactions using the World Wide
Web began with the emergence of internet. Electronic Commerce is one of the systems that
emerged as a very important application of the World Wide Web. Today it is difficult to find an
isolated computer. It is cheaper and faster to carry out business transactions within an organization
and among organizations electronically using the network connection. Thus it is important to
understand how business transactions are carried out electronically reliably and securely. When
designing information systems it is essential to understand the emerging web based transactions. A
number of organizations are exploring how to carry out all day-to-day operations electronically using
the intranet. So it is also called paperless system.
2. E-COMMERCE
E-commerce (i.e., electronic commerce) is the process of buying and selling goods or services
including information products and information retrieval services electronically rather than
through conventional means. . We use electronic means such as EDI (electronic data interchange),
electronic mail, bulletin boards, fax transmissions, electronic fund transfers and the internet.
Electronic commerce describes the buying and selling of products, services, and information via
computer networks. All organisations use Internet and the Web to conduct business transactions
between and among organizations and individuals .Internet providing a quick and convenient way
of exchanging goods and services both regionally and globally, e-commerce has boomed.
We can buy and sell a variety of goods and services from one's home requiring a computer
with an internet connection.
Transactions can be carried anytime and anywhere around the world 24*7.
We can look for lowest possible cost for specific goods or service.
Businesses can reach out to worldwide clients.
The cost of creating, processing, distributing, storing and retrieving paper-based information
has decreased.
Payments through Electronic funds transfer are faster.
Supply chain management is simpler, faster, and cheaper using ecommerce
We can order from several vendors and monitor supplies simultaneously.
A check on production schedule and inventory of an organization can be implemented by
cooperating with supplier who can in-turn schedule their work.
There is no need of setting up a company physically. So e-commerce businesses have
become virtual multinational corporations.
With e-commerce systems single physical marketplace located in a geographical area has
now become a borderless marketplace including national and international markets.
3. MODELS OF E-COMMERCE
Depending on the parties involved in the transaction, e-commerce can be classified into 4 models
and these are:
The B2B model involves electronic transactions for ordering, purchasing, as well as other
Administrative tasks between houses. It includes trading goods, such as business subscriptions,
professional services, manufacturing, and wholesale dealings. Sometimes in the B2B model, business
may exist between virtual companies, neither of which may have any physical existence. In such
cases, business is conducted only through the Internet. In short, B2B E-business is that in which a
business markets and sells to other businesses.
Let us look at the same example of www.amazon.com. As you know, www.amazon.com is an online
bookstore that sells books form various publishers including wrox, OReilly, Premier Press, and so on.
In this case, the publishers have the option of either developing their own site or displaying their
books on the Amazon site (www.amazon.com), or both. The publishers mainly choose to display
their books on www.amazon.com at it gives them a larger audience. Now, to do this, the publishers
need to transact with Amazon, involving business houses on both the ends, is the B2B model.
3.2. Business-to-Consumer (B2C) Model
The B2C model involves transactions between business organizations and consumers. It applies to
any business organization that sells its products or services to consumers over the Internet. These
sites display product information in an online website and store it in a database. The B2C model also
includes services online banking, travel services, and health information. In short, B2C E-business is
that in which a business markets and sells directly to consumers.
The C2C model involves transaction between consumers. Here, a consumer sells directly to
another consumer. In this model, some online auction Web sites like eBay that provide a consumer
to advertise and sell their products online to another consumer. However, it is essential that both
the seller and the buyer must register with the auction site. While the seller needs to pay a fixed fee
to the online auction house to sell their products, the buyer can bid without paying any fee. The site
brings the buyer and seller together to conduct deals. In short, C2C E-business is that in which a one
consumer markets and sells to another consumers through specific websites.
Let us now look at the previous figure with respect to eBay. When a customer plans to sell his
products to other customers on the Web site of eBay, he first needs to interact with an eBay site,
which in this case acts as a facilitator of the overall transaction. Then, the seller can host his product
on www.ebay.com, which in turn charges him for this. Any buyer can now browse the site of eBay to
search for the product he interested in. If the buyer comes across such a product, he places an order
for the same on the Web site of eBay. eBay now purchase the product from the seller and then, sells
it to the buyer. In this way, though the transaction is between two customers, an organization acts
as an interface between the two organizations.
The C2B model involves a transaction that is conducted between a consumer and a business
Organization. It is similar to the B2C model, however, the difference is that in this case the consumer
is the seller and the business organization is the buyer. In this kind of a transaction, the consumers
decide the price of a particular product rather than the supplier. This category includes individuals
who sell products and services to organizations.
For example, www.monster.com is a Web site on which a consumer can post his bio-data for the
services he can offer. Any business organization that is interested in deploying the services of the
consumer can contact him and then employ him, if suitable.
In this model, the government transacts with an individual consumer. Government can provide a
number of opportunities for customers to take advantage of various government offers. G2C
business involves everything from grants and loans to copies of property transactions and credit
reports. Government contracts can be very lucrative and constitute a huge market for government
to consumer businesses. Consumer to government markets are built by consumers looking for safe
investments through bonds and other safe investment vehicles. In the government to consumer
marketplace, consumers are protected by regulations and agencies that keep watch on the public
safety. Finally, G2C e-commerce is becoming more popular for citizens to purchase postage,
egistrations and permits via G2C websites. For example, a government can enforce laws pertaining
to tax payments on individual consumers over the Internet by using the G2C model.
In this model, an individual consumer interacts with the government. For example, a consumer can
pay his income tax or house tax online. The transactions involved in this case are C2G transactions.
4. COMPONENTS OF E-COMMERCE
Cardholders - persons who are authorized to use credit cards for the payment of goods and
services.
Card issuers - institutions which issue credit cards.
Merchants - entities which agree to accept credit cards for payment of goods and services.
Merchant acquirers Banks/NBFCs which enter into agreements with merchants to process
their credit card transactions.
Credit card associations - organisations that license card issuers to issue credit cards under
their trademark, e.g. Visa and MasterCard, and provide settlement services for their
members (i.e. card issuers and merchant acquirers).
Banks issue the card to the customer on the basis of his financial background or on the
behalf of any cardholder in his family.
Banks should independently assess the credit risk while issuing cards to persons, especially
to students and others with no independent financial means. Add-on cards i.e. those that
are subsidiary to the principal card, may be issued with the clear understanding that the
liability will be that of the principal cardholder
Bank set the credit limit on the behalf of customers profile ,his salary, assets,
House and car.
Customer
1.
Web Server
2.
Payment Gateway
3.
Merchant account
6.
Each of the steps below corresponds to one of the numbered boxes in the workflow
Diagram:
All transactions start with a customer. In this case, box 1, the customer is online, typically
looking at an HTML form. This form collects the customer's credit card information and sends
it to the server for processing. The user fills out the form and then clicks Submit.
The server receives the information in the form that user submitted. The server then sends
the information to code that resides on the server for processing.
The processing code receives the information from the Web server and validates the data
entered by the user. If the data is valid, the code formats the data into a format that the
gateway can understand. The code then sends the formatted data to the gateway. In effect,
the code is asking the gateway whether the credit card is a good card and whether it can do
the transaction.
The gateway receives the formatted data from processor code, validates the card, and checks
to see whether the amount for the transaction is available in the user's account. If the card is
good and the funds are available, the gateway sends an approved message back to the code
(box 3); if the card is bad or the funds are not available, the gateway sends a declined
message back to the code. For providing this service, the gateway charges the merchant
money.
As transactions arrive at the gateway, they're batched through to the appropriate
clearinghouse. Box 4 shows some of the bigger clearinghouses. The clearinghouse that is used
is determined by the credit card type and the bank that issued the card. As the clearinghouses
receive transactions from all the gateways, the clearinghouses batch the transactions for all
the banks involved, transferring monies from bank to bank. For providing this service, the
clearinghouse takes between two percent and five percent of the total sale.
As the clearinghouses batch the transactions they receive, they transfer money from the
customer's bank (5.1) to the merchant's bank (5.2).
The merchant's bank receives the transactions from a clearinghouse and then transfers the
appropriate amount of money for the customer transaction (started in box 1) into the
Merchant's Card Not Present merchant account (6). For providing the Merchant account, the
bank will charge various fees.
Purchase Power and Ease of Purchase - Credit cards can make it easier to buy things. If you
don't like to carry large amounts of cash with you or if a company doesn't accept cash
purchases (for example most airlines, hotels, and car rental agencies), putting purchases on
a credit card can make buying things easier.
Protection of Purchases - Credit cards may also offer you additional protection if something
you have bought is lost, damaged, or stolen. Both your credit card statement (and the credit
card company) can refund your amount that you have paid on purchase if the original
receipt is lost or stolen. In addition, some credit card companies offer insurance on large
purchases.
Building a Credit Line - Having a good credit history is often important, not only when
applying for credit cards, but also when applying for things such as loans, rental applications,
or even some jobs. Having a credit card and using it wisely (making payments on time and in
full each month) will help you build a good credit history.
Emergencies - Credit cards can also be useful in times of emergency. While you should avoid
spending outside your budget (or money you don't have!), sometimes emergencies (such as
food or fire) may lead to a large purchase.
Others Benefits - In addition to the benefits listed above, some credit cards offer additional
benefits, such as discounts from particular stores or companies, bonuses such as free airline
miles or travel discounts, and special insurances (like travel or life insurance.)
There is no problem of carrying cash along with. Hence, the customers get rid from risk of
cash lost.
Unbalancing Your Budget - The biggest disadvantage of credit cards is that they encourage
people to spend money that they don't have. Most credit cards do not require you to pay off
your balance each month, so even if you only have $100, you may be able to spend up to
$500 or $1,000 on your credit card. While this may seem like 'free money' at the time, you
will have to pay it off -- and the longer you wait, the more money you will owe since credit
card companies charge you interest each month on the money you have borrowed.
High Interest Rates and Increased Debt - Credit card companies charge you an enormous
amount of interest on each balance that you don't pay off at the end of each month. This is
how they make their money and this is how most people in the United States get into debt.
Credit Card Fraud - Like cash, sometimes credit cards can be stolen. They may be physically
stolen (if you lose your wallet) or someone may steal your credit card number (from a
receipt, over the phone) and use your card to rack up debts. The good news is that, unlike
cash, if you realize your credit card or number has been stolen and you report it to your
credit card company immediately, you will not be charged for any purchases that someone
else has made.
There are several things you can do to prevent credit card fraud:
If you lose your card or wallet, report it to your credit card company immediately.
Don't loan your credit card to anyone and only give out your credit card information
to trusted companies or Web sites.
Check your statement closely at the end of each month to make sure all charges are
yours.
Online transaction: A debit transaction is classified online when the cardholder's 4 digit PIN
number is entered at point of sale via a PIN pad on a credit card terminal. By entering the 4
digit PIN the transaction is routed through the debit network. Since the cardholder is
entering a 4 digit PIN number (only known by them) and the transaction is routed through
the debit network, merchants usually pay a lower rate to process a PIN based debit
transaction. Transactions conducted with online debit are reflected in users account
balances immediately. Card used in online transaction is called Pin-based debit card or True
debit card.
Offline transaction: An offline debit transaction happens when a 4 digit PIN number is not
entered. Since the 4 digit PIN is not being entered, the transaction is processed through the
Visa/MasterCard network which means the merchant would pay the same rate they would
on a normal credit card. Transactions conducted with offline debit cards require 23 days to
be reflected on users account balances. Card used in offline transaction is called Signature-
based debit card or Check debit card.
Debit Card transactions take place in much similar way as that of credit card. Various Steps in Debit
Card transactions are:-
Transaction Flow of debit card
A consumer who is not credit worthy and may find it difficult or impossible to obtain a credit
card can more easily obtain a debit card, allowing him/her to make plastic transactions.
For most transactions, a check card can be used to avoid check writing altogether. Check cards
debit funds from the users account on the spot, thereby finalizing the transaction at the time of
purchase, and bypassing the requirement to pay a credit card bill at a later date.
Like credit cards, debit cards are accepted by merchants with less identification than personal
checks, thereby making transactions quicker.
Unlike a credit card, which charges higher fees and interest rates when a cash advance is
obtained, a debit card may be used to obtain cash from an ATM or a PIN-based transaction at no
extra charge, other than a foreign ATM fee.
In Pin-based debit card merchant also provide the facilities of cashback to customer in which an
amount is added to the total purchase price of a transaction paid by debit card and the
customer receives that amount in cash along with the purchase.
4.2.4. Disadvantages of debit cards
Use of a debit card is not usually limited to the existing funds in the account to which it is linked,
most of banks allow a certain threshold over the available bank balance which can cause
overdraft fees if the user's transaction does not reflect available balance.
Many banks are now charging over-limit fees or non-sufficient funds fees based upon pre-
authorizations, and even attempted but refused transactions by the merchant (some of which
may be unknown until later discovery by account holder).
Many merchants mistakenly believe that amounts owed can be "taken" from a customer's
account after a debit card (or number) has been presented, without agreement as to date,
payee name, amount and currency, thus causing penalty fees for overdrafts, over-the-limit,
amounts not available causing further rejections or overdrafts, and rejected transactions by
some banks.
In some countries debit cards offer lower levels of security protection than credit cards. Theft of
the users PIN using skimming devices can be accomplished much easier with a PIN input than
with a signature-based credit transaction
In many places, laws protect the consumer from fraud much less than with a credit card. While
the holder of a credit card is legally responsible for only a minimal amount of a fraudulent
transaction made with a credit card, which is often waived by the bank, the consumer may be
held liable for hundreds of dollars, or even the entire value of fraudulent in debit transactions.
Because debit cards allow funds to be immediately transferred from an account when making a
purchase, the consumer also has a shorter time (usually just two days) to report such fraud to
the bank and recover the lost funds, whereas with a credit card, this time may be up to 60 days,
and the transactions are removed without losing any credit.
4.3. P-COMMERCE
P-commerce (i.e. Physical commerce) is subpart of e-commerce in which consumer deal with
merchant physically. It is same as e-commerce with difference in passing credit card information to
merchant. In e-commerce customer visit to merchants site and make payment by filling the
card(credit/debit) specification in the forum but in p-commerce customer give his card to merchant
physically(by hand) and merchant further pass card specification to payment gateway by swapping
of card on POS(point of sale)machine.
Customer
IF Not Authorized
Merchants POS Machine
Acquiring Bank
Payment Gateway
Issuer Bank
Decisional Box
IF Authorized IF Authorized
End End
Customer presents credit card after purchase. Merchant swipes it on his special POS
machine and enters amount.
Data from merchants terminal goes to acquirer via a private telephone line.
Acquirer checks with the issuing bank validity of card and credit availability.
Acquirer authorizes sale if all OK and sends approval slip which is printed at merchants
terminal.
Merchant takes customers signature on the slip-verifies it with the signature on card and
delivers the goods.
The acquirer pays the money to merchant and collects it from the appropriate issuing bank.
The bank sends monthly statement to customer and collects outstanding amount.
Credit and debit card processing begins with the customer presenting their card to the merchant for
payment, and ends when the merchant receives those funds from the processor. There are four
steps involved in the processing flow and they are: authorization, batching, settlement, and funding.
Authorization is basically the approval of a transaction from the card issuer. Once a
cardholder's information is submitted for payment, it travels to the merchant's acquirer
network. From the acquirers network, the information is sent to the card issuer for
authorization. The card issuer looks for validity of the card number, and ensures there are
adequate funds to cover the transaction. Once approved, the issuer sends back an
authorization number for the transaction. The entire process takes around 3 seconds. The
sale is complete, but there has been no exchange of money.
Batching is the storing of all authorized transactions. Batches are stored on the merchant's
equipment as memory. The merchant must send the batched transactions to the acquirer
before payment can be made. This is also known as "clearing the batch." Most merchants
clear their batch at the end of each business day.
Settlement occurs when the acquirer sends the entire batch, through the card association,
to the card issuers for payment. Issuers make payment for authorized transactions directly
to the acquirer through the Federal Reserve Bank's Automated Clearing House (ACH).
Funding of transaction monies occurs after the acquirer has received payment from the card
issuer. The merchant receives the transaction amount(s) minus the discount rate, which is
the fee the merchant pays the acquirer for processing the transaction. The discount rate
includes fees paid to card associations and card issuers.
5. CHANNELS OF E-COMMERCE
It can perform some non-transactional tasks through online banking and some of these are:-
A customer can view his account balances.
One can view recent transactions.
A customer can download bank statements.
One can view images of prepaid cheques.
One can also order cheque books.
It can also perform some non-transactional tasks through online banking and some of these are:-
Funds can be transferred between customers linked accounts.
A customer can also pay third party i.e. paying bills.
We can make an online purchase or sale of a product.
It is a Batch settlement mode that operates on a deferred net settlement (DNS) basis which settles
transactions in batches. In DNS, the settlement takes place at a particular point of time. All
transactions are held up till that time. Any transaction initiated after a designated settlement time
would have to wait till the next designated settlement time. There is no minimum or maximum
transaction funds limit. For example, NEFT settlement takes place 6 times a day during the week
days (9.30 am,10.30 am, 12.00 noon. 1.00 pm, 3.00 pm and 4.00 pm) and 3 times during
Saturdays(9.30 am, 10.30 am and 12.00 noon).
A user wishing to transfer funds using NEFT scheme has to fill an application form provided
by the originating bank or users bank. Various details such as name of the beneficiary, his
bank where he has an account, IFSC (Indian Financial system code) of beneficiarys bank
branch, his account type, account number etc. The user authorizes amount to be taken
from his account and transfer it to beneficiary.
The originating bank will prepare a message and send it to its pooling center which is also
known as NEFT service center.
The pooling center will forward this message to NEFT Clearing Center to be included in the
next available batch. This Clearing Center is operated by National Clearing Cell, RBI, at
Mumbai.
The Clearing Center will sort funds transfer bank-wise and prepare accounting entries to
receive funds from originating bank and gives the funds to destination banks. The bank-wise
remittance messages are sent through their pooling centers.
The banks receive remittance messages from the Clearing Center and pass the funds to
beneficiarys account.
RBI
NEFT scheme by Reserve Bank of India
Login ID and password: Each customer is provided with a User ID and Password. The
password is generated in such a way that it is only known to the customer. Without a valid
IPIN corresponding to the customer ID, access to customer account cannot be gained by
anyone. To provide enhanced security and safety we have introduced the Access Code. To
log in to Net Banking / Payment Gateway you would need to enter an additional password
i.e. youre 'Access Code'. This Access Code is to be generated online and will be sent
instantly to your preferred Email ID and Mobile Number registered with the Bank. Access
Code is valid up to 11:59 P.M. (valid up to 24 hours) of the day it is generated by you. Access
Code can be generated by entering your User ID / Nick Name and your Net Banking
Password and clicking on 'Generate Access Code' tab on the Access Code login page.
Session out Security System: Protected by the most stringent security systems, Net Banking
allows you to transact over a completely secure medium. All your transactions travel via
256-bit SSL encrypted medium, the highest level of security on the internet. Many banks
such as HDFC Bank use systems those time out the customers login sessions to his Net
Banking account upon prolonged inactivity for protection against misuse.
Digital certificates: Web pages of many financial institutions are verified by Digital
Certificates provided by VeriSign, TCS, and MTNL etc. so that the customer can identify the
real web page of the financial institution and is not misled by fake websites.
Virtual keyboard: Many banks such as HDFC Bank use the feature of Virtual Keyboard while
logging into his Net Banking account. This protects the users password from being
compromised by key logger software installed on untrusted/shared computers e.g. cyber
cafes.
Instant Alerts: Various banks provide instant alert services like SMS or E-Mail alerts on
making every transactions. Alerts are also provided while adding beneficiary for carrying out
Third Party Transfer transactions.
Security tools: Many banks use security tools such as Firewalls and anti- malware systems to
ensure safety of its customers.
Few tips to ensure complete security of your account while using internet banking
Never disclose your Password to others.
Password should be random i.e. not something which can be easily guessed by others, like
your Date of Birth etc.
Do not write your password on pieces of paper, so cannot be read by others.
While logging in use virtual keyboard option this is option where there is image of keyboard
on your computer screen & you need to press appropriate keys on that virtual keyboard
using your mouse. The order of characters in the virtual keyboard changes every time. This is
to eliminate the risk of a hacker accessing your system.
Once you have finished your task, log-out properly from your account. If you do not,
anybody who uses the systems after you can misuse your account.
Immediately inform to bank in case of receiving message of transaction from bank, which is
not done by you.
MERCHANT
Directed to
Due bills
BILL DESK
Details are
entered
NET BANKING
(Customers account)
Funds
transferred
to merchant
MERCHANT
Payment gateway is connected to all customers, merchants and banks through Internet and
responsible for the speed and reliability and security of all transactions that take place. The payment
networks are the center of the cardholder transaction process and maintain the flow of information
and funds between issuing banks and acquiring banks.
In a typical cardholder transaction, the transaction data first moves from the merchant to the
acquiring bank (and through its card processor, if applicable), then to the Associations, and finally to
the issuing bank (and through its card processor, if applicable). The issuing bank ultimately bills the
cardholder for the amount of the sale. Clearing is the term used to refer to the successful
transmission of the sales transaction data. At this point, no money has changed hands; rather, only
financial liability has shifted. The merchant, however, needs to be paid for the sale.
Settlement is the term used to refer to the exchange of the actual funds for the transaction and its
associated fees. Funds to cover the transaction and pay the merchant flow in the opposite direction:
from the issuing bank to the Associations, to the acquiring bank, and finally to the merchant. The
merchant typically receives funds within a few days of the sales transaction.
6. Information Security in e-commerce
Computer System and Network Security is most important in embedded systems like ATM machines,
Smartcards etc. Security is concerned with the ability of a system to prevent unauthorized access to
information or services. Confidentiality, Integrity and Availability are three fundamental objectives of
security. Though these objectives seem simple, the foolproof implementation is highly complex.
Authentication and access control techniques are used to provide confidentiality. Data encryption is
often used to provide Integrity. Confidentiality, Integrity and Availability is explained below in detail:
6.1. Confidentiality-
Confidentiality is ensuring that information is accessible only to those authorized to have access,
regardless of where the information is stored or how it is accessed. Confidentiality loss happens
when information can be viewed (read) by individuals who shouldn't access it. Loss of confidentiality
can happen physically or electronically. Electronic confidentiality loss can happen when the clients
and servers aren't encrypting their communications. This allows malicious entities to view private
communications. Physical confidential loss can happen through social engineering or through theft.
This typically means having laptops stolen. Confidentiality can be achieved by some of following
ways:
Access Control
Authentication by Passwords and Biometric
6.2. Integrity-
Data integrity is defined as safeguarding the accuracy and completeness of information and
processing methods from intentional, unauthorized or accidental changes. Integrity loss happens
when information is modified without the modification being authorized. This doesn't mean that an
unauthorized party has to cause the integrity loss to happen. The integrity loss due to an authorized
party doing something they shouldn't. An example would be a system administrator deleting an
account record they weren't authorized to delete. Integrity Loss can happen either accidentally or
through malicious intent. Malicious integrity loss can happen when a user purposely adds, deletes,
or modifies database records. This can occur either through an authorized party (someone who has
the access to actually modify the record) or by an unauthorized party when the user has access that
they shouldn't have. Accidental integrity loss happens when a system modifies or deletes records
that it shouldn't. This can happen when a virus infects a system or when a user does something that
he didn't intend to do. This is often why systems will verify that you want a file deleted, before it
actually does so. Data integrity can be maintained by any of following ways:
Data Encryption.
Secure sockets layer/ Transport layer security (SSL/TLS) Techniques.
Auditing.
6.3. Availability-
Availability is the simple idea that when a user or system attempts to access something, it is
available to be accessed. This is extremely important for mission critical systems. Availability for
these systems are so critical that most companies have business continuity plans (BCP's) in order for
there systems to have redundancy. Just like confidentiality and integrity loss, availability loss can
happen by accident, a car crashing into a fiber pole disabling access to a system, or through
malicious intent, such as a Denial-of-Service attack. Availability to network can be maintained by
following ways:
An e-Commerce system with several points that the attacker can target is following:
Tricking the shopper-Some of the easiest and most profitable attacks is based on tricking
the shopper (customer), also known as social engineering techniques. These attacks involve
tracing of the shopper's behaviour, gathering information to use against the shopper. A
common scenario is that the attacker calls the shopper, pretending to be a representative
from a site visited, and extracts information. The attacker then calls a customer service
representative at the site, posing as the shopper and providing personal information. The
attacker then asks for the password to be reset to a specific value.
Another common form of social engineering attacks are phishing schemes. Attackers play on
the names of famous sites to collect authentication and registration information. For
example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A
shopper mistypes and enters the illegitimate site and provides confidential information.
Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites.
The link inside the email maps to a rogue site that collects the information.
Snooping the shopper's computer-Millions of computers is added to the Internet every
month. Most users' knowledge of security vulnerabilities of their systems is vague. In most
cases, enabling security features requires a non-technical user to read manuals written for
the technologist. The confused user does not attempt to enable the security features. This
creates a golden opportunity for attackers.
A popular technique for gaining entry into the shopper's system is to use a tool, such as
SATAN, to perform port scans on a computer that detect entry points into the machine.
Based on the opened ports found, the attacker can use various techniques to gain entry into
the user's system. Upon entry, they scan your file system for personal information, such as
passwords.
Sniffing the network-In this scheme, the attacker monitors the data between the shopper's
computer and the server. He collects data about the shopper or steals personal information,
such as credit card numbers. There are points in the network where this attack is more
practical than others. If the attacker sits in the middle of the network, then within the scope
of the Internet, this attack becomes impractical. A request from the client to the server
computer is broken up into small pieces known as packets as it leaves the client's computer
and is reconstructed at the server. The packets of a request are sent through different
routes. The attacker cannot access all the packets of a request and cannot reassemble what
message was sent, if he is in the middle of network. A more practical location for this attack
is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's
computer network the better choice because most wireless hubs are shipped with security
features disabled. This allows an attacker to easily scan unencrypted traffic from the user's
computer.
Guessing passwords-Another common attack is to guess a user's password. This style of
attack is manual or automated. Manual attacks are laborious, and only successful if the
attacker knows something about the shopper. For example, if the shopper uses their child's
name as the password. Automated attacks have a higher likelihood of success, because the
probability of guessing a user ID/password becomes more significant as the number of tries
increases. Tools exist that use all the words in the dictionary to test user ID/password
combinations, or that attack popular user ID/password combinations.
Using known server-The attacker analyzes the site to find what types of software are used
on the site. He then proceeds to find what security system were issued for the software.
Additionally, he searches on how to exploit systems without of security system. He proceeds
to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of
software, and tries to use that to exploit the system. This is a simple, but effective attack.
With millions of servers online, what is the probability that a system administrator forgot to
apply security systems?
Using server root exploits-Root exploits refer to techniques that gain super user access to
the server. When you attack a shopper or his computer, you can only affect one individual.
With a root exploit, you gain control of the merchants and all the shoppers' information on
the site. There are two main types of root exploits: buffer overflow attacks and executing
scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific
type of computer program bug that involves the allocation of storage during program
execution. The technique involves tricking the server into execute code written by the
attacker. The other technique uses knowledge of scripts that are executed by the server.
This is easily and freely found in the programming guides for the server. The attacker tries to
construct scripts in the URL of his browser to retrieve information from his server. This
technique is frequently used when the attacker is trying to retrieve data from the server's
database.
Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The
resources available to large companies involved in e-Commerce are enormous. These companies will
pursue every legal route to protect their customer. Defences available against attacks is shown
below
Education-Your system is only as secure as the people who use it. If a shopper chooses a
weak password, or does not keep their password confidential, then an attacker can pose as
that user. This is significant if the compromised password belongs to an administrator of the
system. In this case, there is likely physical security involved because the administrator client
may not be exposed outside the firewall. Users need to use good judgement when giving out
information, and be educated about possible phishing schemes and other social engineering
attacks.
Personal firewalls-When connecting your computer to a network, it becomes vulnerable to
attack. A personal firewall helps protect your computer by limiting the types of traffic
initiated by and directed to your computer. If personal firewall is not working then the
attacker can also scan the hard drive to detect any stored passwords.
Secure Socket Layer (SSL)-Secure Socket Layer (SSL) is a protocol that encrypts data between
the shopper's computer and the site's server. When an SSL-protected page is requested, the
browser identifies the server as a trusted entity and initiates a handshake to pass encryption
key information back and forth. Now, on subsequent requests to the server, the information
flowing back and forth is encrypted so that a hacker sniffing the network cannot read the
contents.
The SSL certificate is issued to the server by a certificate authority authorized by the
government. When a request is made from the shopper's browser to the site's server using
https://..., the shopper's browser checks if this site has a certificate it can recognize. If the
site is not recognized by a trusted certificate authority, then the browser issues a warning to
the system.
Password policies-Ensure that password policies are enforced for shoppers and internal
users. A sample password policy, defined as part of the Federal Information Processing
Standard (FIPS), listed below
You may choose to have different policies for shoppers versus your internal users. For
example, you may choose to lockout an administrator after 3 failed login attempts instead of
6. These password policies protect against attacks that attempt to guess the user's
password. They ensure that passwords are sufficiently strong enough so that they cannot be
easily guessed. The account lockout capability ensures that an automated scheme cannot
make more than a few guesses before the account is locked.
9.1. Firewall
A firewall is a mechanism used to protect a trusted network from an un-trusted network, usually
while still allowing traffic between the two. Typically, the two networks in question are an
organization's internal (trusted) network and the (un-trusted) Internet or a firewall is a collection of
components or a system placed between two networks and possessing the following properties:
All traffic from inside to outside and vice-versa must pass through it.
Only authorized traffic as defined by administrative, is allowed to pass through it.
The system is highly resistant to penetration.
There are two types of firewalls:-
Firewalls as filters-The primary purpose of a firewall is to filter traffic. Firewalls inspect packets as
they pass through, and based on the criteria that the administrator has defined, the firewall allows
or denies each packet. Firewalls block everything that you havent specifically allowed. Routers with
filtering capabilities are a simplified example of a firewall. Administrators often configure them to
allow all outbound connections from the internal network, but to block all incoming traffic. You use
packet filters to instruct a firewall to drop traffic that meets certain criteria. For example, you could
create a filter that would drop all ping requests. By default, Microsoft ISA (Internet Security and
Acceleration) Server doesnt respond to ping queries on its external interface. You would need to
create a packet filter on the ISA Server computer for it to respond to a ping request.
The following are the main TCP/IP attributes used in implementing filtering rules:
Source IP addresses
Destination IP addresses
IP protocol
Source TCP and UDP ports
Destination TCP and UDP ports
The interface where the packet arrives
The interface where the packet is destined
Firewalls as gateway-Internet firewalls are often referred as secure internet gateways. Like the
walled city, they control access to and from the network. A firewall may consist of little more than a
filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the
connected network. The gateway machine then passes the data, in accordance with access-control
policy, through a filter, to the other network or to another gateway machine connected to the other
network. Firewalls as a gateway can understand the traffic flowing through them and allow or deny
traffic based on the content. Host-based firewalls designed to block objectionable Web content
based on keywords contained in the Web page. You also use this to inspect packets bound for an
internal Web server to ensure the request isnt really an attack.
Firewall as proxy server- In computer network, a proxy server is a server (a computer system or an
application) that acts as an intermediary for requests from clients seeking resources from other
servers. A client connects to the proxy server, requesting some service, such as a file, connection,
web page, or other resource available from a different server. The proxy server evaluates the
request as a way to simplify and control their complexity.
How firewall Protect your PC
At their most basic, firewalls work like a filter between your computer/network and the Internet.
You can program what you want to get out and what you want to get in. Everything else is not
allowed. There are several different methods firewalls use to filter out information, and some are
used in combination. Firewalls can be used in a number of ways to add security to your home or
business. Large corporations often have very complex firewalls in place to protect their extensive
networks.
On the outbound side, firewalls can be configured to prevent employees from sending
certain types of emails or transmitting sensitive data outside of the network.
On the inbound side, firewalls can be programmed to prevent access to certain websites
(like social networking sites).
Additionally, firewalls can prevent outside computers from accessing computers inside the network.
For home use, firewalls work much more simply. The main goal of a personal firewall is to protect
your personal computer and private network from malicious mischief. Malware, malicious software,
is the primary threat to your home computer. Viruses are often the first type of malware that comes
to mind. A virus can be transmitted to your computer through email or over the Internet and can
quickly cause a lot of damage to your files. Other malware includes Trojan horse programs and
spyware. These programs are usually designed to acquire your personal information for the
purposes of identity theft of some kind. There is firewall that can prevent this from happening. It can
allow all traffic to pass through except data that meets a predetermined set of criteria, or it can
prohibit all traffic unless it meets a predetermined set of criteria.
A digital certificate is the electronic version of an ID card that establishes a persons credentials and
authenticates a connection when performing e-commerce transactions over the internet, using the
web.
Digital certificates are digital files that certify the identity of an individual or institution seeking
access to computer-based information. The main purpose of the digital certificate is to ensure that
the public key contained in the certificate belongs to the entity to which the certificate issued. It just
provides the certification to institution to access computer network. Encryption techniques using
public and private keys require a public-key infrastructure (PKI) to support the distribution and
identification of public keys. Digital certificates package public keys, information about the
algorithms used, owner or subject data, the digital signature of a Certificate Authority that has
verified the subject data, and a date range during which the certificate can be considered
valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a
commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-
mail name, or other such information.
The most widely accepted format for Digital Certificates is defined by the CCITT X.509 international
standard; thus certificates can be read or written by any application complying with X.509. Further
refinements are found in the PKCS standards and the PEM standard.
Key Generation: The individual requesting certification (the applicant, not the CA) generates
key pairs of public and private keys.
Matching of Policy Information: The applicant packages the additional information necessary
for the CA to issue the certificate (such as proof of identity, tax ID number, e-mail address,
and so on). The precise definition of this information is up to the CA.
Sending of Public Keys and Information: The applicant sends the public keys and information
(often encrypted using the CA's public key) to the CA.
Verification of Information: The CA applies whatever policy rules it requires in order to verify
that the applicant should receive a certificate.
Certificate Creation: The CA creates a digital document with the appropriate information
(public keys, expiration date, and other data) and signs it using the CA's private key.
Sending of Certificate: The CA may send the certificate to the applicant, or post it publicly as
appropriate.
The certificate is loaded onto an individual's computer.
9.3. Encryption
The process by which data are temporarily re-arranged into an unreadable or unintelligible form for
confidentiality, transmission, or other security purposes. Although authentication and authorization
are usually tightly integrated, encryption functions in its own sphere. It serves to complement
authentication/authorization by protecting data between authorized entities, and it can work
independently to protect resources in case authentication/authorization fails to protect those
resources from unauthorized users. What we commonly refer to in IT as "encryption" is actually a
two-step process of encryption and decryption. Of course, encryption is the process of packaging
sensitive data and decryption is the process of un-packaging it. Encryption converts data into coded
cipher text and then bundles it with an encryption key that is produced by an algorithm. Once the
data reaches its destination, it can be decrypted using the proper decryption key. The strength of the
encryption key determines how difficult it is for a criminal to break the encryption process without
the decryption key. The stronger the encryption algorithm is, the more difficult it is to hack.
Currently, 128-bit encryption is the de facto minimum standard for strong encryption.
However, stronger versions, including156-bit and 192-bit encryption, are beginning to make in ultra-
secure environments. Three common examples of how encryption is utilized are VPN(virtual private
network) for remote access, SSL for secure Web transactions, and EFS (Windows 2000's encrypting
file system) for locking down files and folders.
With VPN, remote users are authenticated and authorized to access remote systems, and
then a secure "tunnel" is created by encapsulating and encrypting packets between the
source and destination systems.
With SSL, confidential user data such as names, addresses, social security numbers, and
credit cards are encrypted during data transfer between a user and a Web site to ensure
secure communications.
When locking down files, as is the case in Windows 2000 with EFS, files and folders are
stored in an encrypted form and can only be opened by valid users who have access to the
decryption key. Special recovery agents can be created by the user who encrypts the file,
which is especially valuable for securing highly confidential files even if a hard disk is stolen
by a criminal.
Public key infrastructure (PKI) is the use and management of cryptographic keys a public key and a
private key for the secure transmission and authentication of data across public networks.
In public key cryptography there are two different keys, one used to encipher data and the other
used to decipher it. While one of these keys is kept private, the other is made public, and the system
is designed so that knowledge of the public key does not allow the private key value to be
determined. Normally it is assumed that the private key is controlled by just one person who will be
referred to here as the keyholder.
Public key cryptography can be used to achieve either confidentiality or digital signature.
Confidentiality is provided when the deciphering key is kept private and the enciphering key is made
public, so that anyone with the public key can encipher a message that only the keyholder can
decipher. A digital signature is provided when the enciphering key is kept private and the
deciphering key is made public, so that anyone with the public key can decipher a message that only
the keyholder could have enciphered. With a correctly verified digital signature, we know that the
signed object has not been modified since the signature was made and that this was done with a
specific private key.
In public key encryption, two different keys are used to encrypt and decrypt information.
The private key is a key that is known only to its owner, while the public key can be made
known and available to other entities on the network.
The two keys are different but complementary in function. For example, a user's public key
can be published within a certificate in a folder so that it is accessible to other people in the
organization. The sender of a message can retrieve the user's certificate from Active
Directory Domain Services, obtain the public key from the certificate, and then encrypt the
message by using the recipient's public key. Information that is encrypted with the public
key can be decrypted only by using the corresponding private key of the set, which remains
with its owner, the recipient of the message.
Authentication is the process of verifying that someone (or something) is who they claim to be. The
some-one or something is known as a principal. Authentication requires evidence, known
as credentials. For example, a client application could present a password as its credentials. If the
client application presents the correct credentials, it is assumed to be who it claims to be. Of course
if your credentials are stolen, all bets are offthe authentication process can't tell that an imposter
is presenting your credentials. Some credentials, like thumbprints, are hard to stolen others, like
passwords, are easier to stolen. So an important consideration in designing a secure Web Service is
deciding what kind of credentials to accept. Methods through which authentication can be achieved:
Passwords and their safekeeping are a fundamental element to authenticate you against network
security. Username and passwords is most common way of users to identify them. Unfortunately, as
we all know, this is not a foolproof approach to verifying identity. Hackers can often find ways to
guess passwords or use various attack methods to crack passwords. As a result, IT departments
employ various means to strengthen authentication mechanisms and these are:
Biometrics authentication
Usernames and passwords are software mechanisms for authentication. The next step in
authentication technology is the integration of hardware mechanisms, which are not as easy to
crack. Biometric is one of developing hardware authentication technology. Biometric technology can
identify individuals based on the physical characteristics of human body part. The primary biometric
technologies in use are retina scanning, facial reorganization, voice reorganization and fingerprint
scanning. Additional security measure is in the form of smart cards, in which users have smart card
readers at their workstations and swipe their card and enter their PIN, rather than providing a
username and password. This type of information is very difficult to duplicate and create a very good
defence against unauthorized access
Logging Id and password- check validity of user if registered, otherwise register yourself
before access.
Transaction password- This is special password generated before any transaction on your
registered mobile number.
Security Questions- these are questions preset by user during registration and asked to user
to check the right person.
Pre-set images- this image is set by user during registration and it used to check that the
website is genuine or fake.
Instant alert- this is way to inform user about transaction details that happens in his
account instantly via SMS or e-mail.
Alpha-numeric code- this is code used to check that it really a human who access the web-
site or any other attackers written program code.
9.6. Non-repudiation
Non-repudiation is the assurance that someone cannot deny something. Typically, non-repudiation
refers to the ability to ensure that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a message that they originated. E-
commerce uses technology such as digital signatures, Digital certificates and public key encryption to
establish authenticity and non-repudiation.
Traditionally non-repudiation has been achieved by having parties sign contracts and then
have the contracts notarized by trusted third parties. Sending documents involved the use of
registered mail, and postmarks and signatures to date-stamp and record the process of
transmission and acceptance.
Digital signatures which have been issued by a trusted authority (such as VeriSign) cannot
be forged and their validity can be checked with any major email or web browser software.
A digital signature is only installed in the personal computer of its owner, who is usually
required to provide a password to make use of the digital signature to encrypt or digitally
sign their communications.
On the Internet, a digital signatures is used not only to ensure that a message or document
has been electronically signed by the person that purported to sign the document, but also,
since a digital signature can only be created by one person, to ensure that a person cannot
later deny that they furnished the signature.
Since no security technology is absolutely fool-proof, some experts warn that a digital
signature alone may not always guarantee non-repudiation. It is suggested that multiple
approaches be used, such as capturing unique biometric information and other data about
the sender or signer that collectively would be difficult to repudiate.
Email non-repudiation involves methods such as email tracking that is designed to ensure
that the sender cannot deny having sent a message and/or that the recipient cannot deny
having received it.
Once the client and server have decided to use TLS/SSL, then the steps followed by both parties to
ensure secure communication are:
1. The client sends the server the client's SSL version number, cipher settings, session-specific
data, and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL.
The server also sends its own certificate, and if the client is requesting a server resource
that requires client authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the
problem and informed that an encrypted and authenticated connection cannot be
established. If the server can be successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session,
encrypts it with the server's public key (obtained from the server's certificate, sent in step
2), and then sends the encrypted pre-master secret to the server.
5. If the server has requested client authentication, the client also signs another piece of data
that is unique to this handshake and the client's own certificate to the server along with the
encrypted pre-master secret. If the client cannot be authenticated, the session ends.
6. If the client can be successfully authenticated, the server uses its private key to decrypt the
pre-master secret, and then performs a series of steps (which the client also performs,
starting from the same pre-master secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session
and to verify its integrity.
8. The client sends a message to the server informing it that future messages from the client
will be encrypted with the session key. It then sends a separate (encrypted) message
indicating that the client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server
will be encrypted with the session key. It then sends a separate (encrypted) message
indicating that the server portion of the handshake is finished.
During a HTTP connection, the IP address of the client machine is necessarily transmitted in order to
get the information back. This allows a server to identify the source of the web request. Any
resource you access can gather personal information about you through your unique IP address -
your ID in the Internet. They can monitor your reading interests, spy upon you and log your requests
for third parties. An anonymous proxy server as a middleman between your browser and an end
server. Instead of contacting the end server directly to get a web page, the browser contacts the
proxy server, which forwards the request on to the end server. When the end server replies, the
proxy server sends the reply to the browser. No direct communication occurs between the client and
the destination server, therefore it appears as if the HTTP request originated from the intermediate
server. The only way to trace the connection to the originating client would be to access the logs on
the proxy server (if it keeps any).
Tunneling proxy-A proxy server that passes requests and responses unmodified is usually
called a tunneling proxy.
Forward proxy-forward proxy taking requests from an internal network and forwarding
them to the internet .Forward proxies are able to retrieve from a wide range of sources (in
most cases anywhere on the Internet).
Open proxy-An open proxy is a forwarding proxy server that is accessible by any Internet
user. An anonymous open proxy allows users to conceal their IP address while browsing the
Web or using other Internet services.
Reverse proxy-A reverse proxy taking requests from the Internet and forwarding them to
servers in an internal network. Those making requests connect to the proxy and may not be
aware of the internal network. A reverse proxy is a proxy server that appears to clients to be
an ordinary server. Requests are forwarded to one or more origin servers which handle the
request. The response is returned as if it came directly from the web server. Reverse proxies
are installed in the neighbourhood of one or more web servers. All traffic coming from the
Internet and with a destination of one of the neighbourhoods web servers goes through the
proxy server.
Web server is the combination of both hardware as well as software, because to build a web
server we need computer (Hardware) and some sort of software (software application) which
enables the world to access content.
A web server is the combination of computer and the program installed on it. Web server
interacts with the client through a web browser. It delivers the web pages to the client through
web browser and the HTTP protocols respectively. We can also define the web server as the
package of large number of programs installed on a computer connected to Internet or intranet
for downloading the requested files using File Transfer Protocol, serving e-mail and building and
publishing web pages. A web server works on a client server model. A computer connected to the
Internet or intranet must have a server program.
A computer connected to the Internet for providing the services to a small company or a
departmental store may contain the HTTP server (to access and store the web pages and files),
SMTP server (to support mail services), FTP server (for files downloading) and NNTP server (for
newsgroup). The computer containing all the above servers is called the web server. Internet
service providers and large companies may have all the servers like HTTP server, SMTP server, FTP
server and many more on separate machines.
First, it's important to note that this is a two-sided story. Web servers are responsible for storing and
exchanging information with other machines. Because of this, at least two participants are required
for each exchange of information: a client, which requests the information, and a server, which
stores it. In the case of the client, a browser like Netscape or Internet Explorer is used. On the server
side, however, things are not as simple. There is a countless software options available, but they all
have a similar task: to negotiate data transfers between clients and servers via Hypertext Transfer
Protocol, the communications protocol of the Web.
The client's browser dissects the URL in to a number of separate parts, including address,
path name and protocol.
A Domain Name Server (DNS) translates the domain name the user has entered in to its IP
address, a numeric combination that represents the site's true address on the Internet (a
domain name is merely a "front" to make site addresses easier to remember).
The browser now determines which protocol (the language client machines use to
communicate with servers) should be used. Examples of protocols include FTP, or File
Transfer Protocol, and HTTP, Hypertext Transfer Protocol.
The server now responds to the browser's requests. It verifies that the given address exists,
finds the necessary files, runs the appropriate scripts, and returns the results back to the
browser. If it cannot locate the file, the server sends an error message to the client.
The browser translates the data it has been given in to HTML and displays the results to the
user.
This process is repeated until the client browser leaves the site.
Hence, these servers become an integral part of e-commerce and acts as a backbone of e-commerce
setup. So, apart from security measures used many web servers have a parallel server connected to
them. This is done so that even if one server fails, the other server handles all the traffic on crashed
server.
Here, in the above figures we can see that there are two similar servers attached to each other.
So even if one of the servers fails, the other server can handle all the traffic without interrupting e-
commerce transactions.
In Virus dictionary approach - the antivirus continuously monitors files on servers and computer
programs and compares them with a list of predefined viruses and malicious codes. This list of
predefined viruses is made available by the author of the antivirus. While scanning, if a file on server
matches with virus on the list, the antivirus can either remove it or block that file so that virus does
not affect other files or computer programs. Antivirus may even make an attempt to repair the file
by removing virus from it. However, for continuous safety, list of viruses must be regularly updated
for upcoming viruses regularly coming up. The antivirus can also be scheduled to scan all files on a
regular basis.
Suspicious behaviour approach, the antivirus does not try to match scanned file to the list, rather it
monitors the behaviour of all programs. For example, if a program tries to write data to an
executable program, this is said as suspicious behaviour and the user is alerted and asked what to
do. Thus, the suspicious behaviour approach therefore provides protection against new viruses that
do not exist in any virus dictionaries. However, it also sounds a large number of false positives, and
users probably become desensitized to all the warnings. If the user clicks "Accept" on every such
warning, then the anti-virus software is obviously useless to that user.
Anti-spam-Email spam which is also known as junk email, is identical message sent to numerous
recipients by email. Clicking on links in spam email may send users to phishing web sites or sites that
are hosting malware. Spam email may also include malware as scripts or other executable file
attachments. Definitions of spam usually include the aspects that email is unsolicited and sent in
bulk. To prevent email-spam , both end users and administrators of email systems use various anti-
spam techniques. Some of these techniques have been embedded in products, services and
software to ease the burden on users and administrators. No one technique is a complete solution
to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not
rejecting all spam, and the associated costs in time and effort. There are various spam techniques
that have been created and implemented since spam started infiltrating peoples inboxes.
Spam filters work using a combination of techniques in order to filter through the messages and
separate the genuine messages from the junk mail. These techniques would rely on the following
measures:
Word lists Lists of words that are known to be associated with spam and are commonly found in
unsolicited mail messages.
Blacklists and White-lists These lists contain known IP addresses of spam senders (blacklists) and
non-spam senders (e.g. friends and family). Therefore addresses that form part of your contact list
are automatically registered as white-list and any emails originating from these email addresses will
be sent directly to your inbox.
Trend Analysis By analyzing the history of email sent from an individual, trends can help assess the
likelihood of an email being genuine or spam. This can be an effective technique to help reduce false
positives and improve spam detection rates.
Learning or Content filters Learning filters, such as Bayesian filtering, examine the content of each
email sent to and from an email address, and by learning word frequencies and patterns associated
with both spam and non-spam messages, it is able to recognize which messages are valid and should
therefore be directed towards the inbox, and which are spam and should be sent to Junk.
These techniques all work together to ensure an effective anti-spam technique. By using just one
method one risks losing out on valid emails.
IPSec is implemented by the operating system and is transparent to those application those
utilizing it while SSL is visible to user.
SSl cannot be utilized to encrypt all the types of data communicated between two hosts
while IPSec can be utilized to secure most types of network communication.
SSL can only be used to encrypt communication between two hosts, while IPSec can tunnel
communication between them.
For authentication, IPSec utilizes public key certificates or shared secret while SSL has to
utilize public key certificates.
With IPSec, the server and the client need to be authenticated. With SSL, either the server,
or the client, or both the server and client need to be authenticated.
Personal computer is a must to do an online transaction. It is also said to be a best scenario when a
consumer buys a product online using his personal computer. PCs are private devices and therefore
our personal details such as passwords, credit card numbers etc. cannot be leaked to anyone else.
There are two main areas of risk when using a public terminal. First someone may be using a session
logger to record the flow of data between the PC you are using and the websites you visit. Second
there may be a key-logger fitted to the PC that allows someone to capture your keystrokes and
sometimes your mouse clicks and screen session as well. So it is advised to avoid the use of public
terminals (computers) during any E-commerce deal.
Some Computer security tips:
Virtual Keyboard
Why we use virtual password
To trace our personal details, hacker can place a hardware circuit between keyboards and
computers for key-logging. All the keystrokes can be stored and stored for later use. There are some
Trojans available in the market that can note and store the keystrokes and send them to the hacker
trying to steal the password. Once these are activated, they can note passwords entered online and
generally work in the background without the user coming to know about them. This can create a
problem as our password can be taken and thus break the security.
Thus, by using virtual keyboards we can eliminate use of traditional keyboard for entering sensitive
information such as password, credit card number etc. The virtual keyboard reduces risks and makes
e-Banking login secure and supports a secure online banking experience It ensure the users account
information (user id & password) is protected from hackers. However, virtual keyboards may
present disadvantage that some Trojans can take screenshots of keys pressed of the virtual
keyboard. So, anti screen shot virtual keyboards can be used where pattern of keys gets
continuously changed every time we press a keyboard key.
Dos
Create different passwords for different accounts and applications.
Change your passwords regularly.
Keep the password within ourselves, do not disclose it.
Keep your passwords easy, so we dont have to keep it in written.
Do use a combination of uppercase and lowercase letters, symbols, and numbers.
Do try to make your passwords as meaningless and random as possible.
Donts
Don't answer "yes" when prompted to save your password to a particular computer's
browser. Instead, rely on a strong password committed to memory or stored in a
dependable password management program.
Dont use same password for various accounts and applications.
Don't use a derivative of your name, the name of a family member, or the name of a pet.
Don't use names or numbers associated with you, such as a birth date or nickname.
Don't use a solitary word in any language. Hackers have dictionary-based tools to crack
these types of passwords.
Dont write your password anywhere and dont disclose it.
10.5. Cookies
Cookie is a small identifier file placed on a users computer by a website, which logs information
about the user and their previous/current visits for the use of the site next time the user makes
contact. The website owners claim that this is beneficial to the user, allowing faster access and
personalization of the site for that user.
One of the issues faced by Web site designers is maintaining a secure session with a client over
subsequent requests. Because HTTP is stateless, unless some kind of session token is passed back
and forth on every request, the server has no way to link together requests made by the same
person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a
cookie and read on every request. This simplifies Web page development because you do not have
to be concerned about passing this information back to the server. The primary use of cookies is to
store authentication and session information, your information, and your preferences. A secondary
and controversial usage of cookies is to track the activities of users.
Different types of cookies are:
Temporary cookies: These cookies are valid only for the lifetime of your current session, and
are deleted when you close your browser. These are usually the good type. They are mostly
used to keep your session information.
Permanent cookies: These are for a time period, specified by the site, on the shopper's
computer. They recall your previous session information.
Server-only cookies: These cookies are usually harmless, and are only used by the server
that issued them.
Third-party cookies: These are usually used for tracking purposes by a site other than the
one you are visiting. Your browser or a P3P policy can filter these cookies.
AVG logo
Signature-based detection.
Polymorphic-based detection.
Heuristic-based analysis.
Behaviour-based analysis.
Anti-spam- Email spam which is also known as junk email, is identical message sent to numerous
recipients by email. Clicking on links in spam email may send users to phishing web sites or sites that
are hosting malware. Spam email may also include malware as scripts or other executable file
attachments. Definitions of spam usually include the aspects that email is unsolicited and sent in
bulk. To prevent email-spam, both end users and administrators of email systems use various anti-
spam techniques. Some of these techniques have been embedded in products, services and
software to ease the burden on users and administrators. No one technique is a complete solution
to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not
rejecting all spam, and the associated costs in time and effort.
10.7. Anti-spyware
Spyware is software that installs itself on your computer, often as the trade-off for a piece of "free"
software. They are unwanted programs that exploit infected computers for commercial gain. They
can deliver unsolicited pop-up advertisements, steal personal information (including financial
information such as credit card numbers), monitor web-browsing activity for marketing purposes, or
route you to advertising websites. Spyware is software that transmits personal information to a third
party without the user's knowledge or consent. This can lead to your PC being compromised along
with your identity.
Anti-Spyware helps keep you safe from dangerous spyware that can lead to your computer being
compromised, along with your identity, and threaten the security of what you value. You need
spyware protection because spyware is created by hackers and cybercriminals and can be spread via
infected email attachments, shared files, or malicious websites. Good Anti-Spyware is effective at
both detecting and removing spyware if you're already infected. It should also detect and prevent
future spyware infections.
The per-computer scope of personal firewalls is useful to protect machines that are moved across
different networks. For example, a laptop computer may be used on a trusted intranet at a
workplace where minimal protection is needed as a conventional firewall is already in place, and
services that require open ports such as file and printer sharing are useful. The same laptop could be
used at public Wi-Fi hotspots such as provided at cafs, airports or hotels, where more strict security
is required to protect from malicious activity. Many personal firewalls are able to control network
traffic by prompting the user each time an application attempts a connection and will adapt the
security policy accordingly. Personal firewalls may also provide some level of intrusion detection,
allowing the software to terminate or block connectivity where it suspects an intrusion is being
attempted.
User or customer
Necessary requirement to
carry out e-commerce and
Personal computer Visible to user
make sure that it is not used
by unauthorized person.
Necessary to authenticate
himself by user login-ID, login-
Authentication
Visible to user password, and security
question and authenticate
merchant by pre-set image.
Necessary to Monitors
Ant-viruses and anti computer for virus and
spam Visible to user
junk-mails and remove
them as soon as possible.
Necessary to Detect and
remove spyware-software,
Anti spyware Visible to user which continuously monitors
your browsing activity and
pass your personal details to
hacker without users
knowledge.
Necessary to store
Authentication and session
Cookies Not Visible to user
information. Hence user has
no need to authenticate
itself again and again.
Necessary to Restrict
Personal firewalls Not Visible to user access of
unauthorized person
to users computer
Necessary to establish a
secure connection between
Public key infra- Not visible to
two genuine sites by
structure merchant and user
knowing their privates and
personal keys
MERCHANT INERACTION WITH TECHNOLOGIES
Merchant or sever
Let us first list details to which a first time user will directly refer to:-
Customer friendly interface- If a user doesnt find the webpage good and interactive, it is
unlikely that he will proceed further. A good website should clearly present all the
information required by the user which also helps in building user trust by clearing all his
doubts about the website. Hence, chances are increased when users are provided with all
the relevant information.
Websites digital certification logo- In todays world of internet many websites are added
daily. Many times hackers create fake websites similar to original ones so that users are
tricked. Hence, to differentiate between these digital certificates are used. So, a user can
know about the authenticity about the website by looking at digital certificates. A digitally
certified website will have a digital certificate logo on its website and users can check for
these.
Address Bar for any encryption currently being employed during communication - Another
feature that a user can look to is encryption. It can be visually seen that if a website is
interacting using encryption we can notice the following change:
Green colour with additional s with http confirms encryption. If there is encryption currently being
used one can be assured that hackers cant know conversation between user and website.
Some basic issues on behalf of which comparison between Air India and British airways is
carried out:
Views: British Airways have also not put any digital certificate on their webpage. However, the front
page has been designed such that a user might still get convinced about the authenticity of the
webpage. The Response Time for the website is also good.
Positive aspects:
Booking portal provided by the company is easier to use. It is also easier to browse through
the website.
FAQs can help a user clear much of his doubts. They have been put up in a good manner
with an additional option of viewing it in Hindi.
The good thing is that the company mentions its contact numbers and address of its offices
with their respective contact details at various places in India. For e.g.- companys office at
Delhi is at Air India Limited Reservations, Safdarjung Airport, Aurobindo Marg, New Delhi -
110003. del.reservationmanager@airindia.in Telephone- 011 24622220, Fax-011 24653682.
The booking process is also good as only required information is shown to user. The user is
provided with options such as currency converter and breakdown of taxes for providing
consumer satisfaction.
User is also provided with options such as New Search so that a user can start a fresh
booking if he is not satisfied with current travel search.
Assistance is given to user while entering details such as name.
It gives user an option for having booking information being sent to users mobile (only to
Indian users).
Negative aspects:
Surfing can be made clearer by proper positioning of various offers provided to customer.
The various options put up look clumsy as they have been put together without much
differentiation among them and hence making it difficult for each option to grab users
attention at first sight.
The booking portal should be made a bit different, thus making it catchier so that it gets
primary notice of user. It looks just mixed between various options. The website can be
presented in a much interactive manner having flash messages, good graphic images and
displaying various offers clearly.
Frequent Flyer option can be made small.
General terms and conditions for online booking have been put up in a dull manner without
any proper manner without any proper format. One will have to browse through entire PDF
for information regarding ticket cancellations and refunds etc.
Fare chart put up by the company cannot be understood by users as it uses various codes to
define various terms etc. Also, various options like hotel booking and car rental service leave
a bad impression as a warning from Air India is issued to user trying to access these options.
It also shows poor relation between Air India and its partners.
The company has not put its privacy policy on its front page.
The booking portal for the airways has been clearly put and is distinct from other options.
Various offers have been put in excellent manner and are capable of drawing users
attention at first sight.
One can easily access option for help and contacts.
One can easily get information regarding refund of tickets, complaints and contact numbers
for the airlines.
The company has provided a wide range of FAQs with a search engine for customers
assistance.
The company has clearly mentioned its general terms and condition and its privacy policy
under the legal heading.
Negative aspects:
The webpage of the website is a bit long in length and some users may not like to scroll
down till the end for various offers.
The response time for website increases when a user tries to access airlines partners such
as hotels and car rental services. Sometimes, users can also experience delay while accessing
general terms and conditions.
The company has not provided any fare chart. So, a user will have to go through booking
procedure for knowing the fare.
If a user chooses a Credit Card payment option, he will be asked to fill details of card and
proceed with the payment.
As of now, Air India accepts debit cards with payment gateway as Bank of India, Indian
Overseas Bank, and State Bank of India, Union Bank of India and Punjab National bank only.
If we proceed with debit card payment, the company issues a notice that Payment will be
taken remotely and will be directly directed towards the payment gateway of the respective
bank. Users will be charged with fees set by the respective payment gateway which is being
used. For e.g. Indian Overseas Bank charges Rs. 10 per transaction.
Hence, users are given flexibility of choosing payment gateway with respective fees being charged
which is a good move as it makes it transparent that the company is not charging any extra charge
for the given transaction.
Also, a good thing that company does is that it offers users with taxes and charges separately as
shown below,
Refund Policy- the Company does not clearly states its Refund policy while making bookings. A user
will have to browse through FAQs specified by the company. One can get information about
procedures for making a refund for both domestic and international bookings.
For time to get refund as stated by company is In normal circumstances a refund is processed
almost immediately. However, in case of a credit card bank transfer, it takes a minimum of twenty
days and in case of a lost ticket, it takes a minimum of six months as the mandatory cooling period
needs to be met with and the documents are processed by our Central accounts office.
However, the company does not state fees charged for making a refund.
Refund Policy- the company clearly mentions it refund policy in its Help and Contacts option. One
can get complete information regarding refunds. While entering card details for payments the
company also gives a message regarding times when information entered by the user is not correct
and the user has paid money. One can check for this by viewing following message by the airline.
For Refund or Cancellation charge, the airline mentions this under Fare Conditions while displaying
the desired flight details as shown below,
My ratings for e-commerce platform of British Airways- GOOD
However, in general Terms and Conditions Company also states that it shall not disclose any
information to any third party and users personal information shall be protected.
Following is a screen shot of this-
My ratings for privacy policy of Air India-AVERAGE
Hence, user can get his doubts get cleared before proceeding.
A user can also see a brief privacy policy while making the payments for a given transaction.
Following is the screenshot of it-
My rating for Privacy Policy of British Airways-VERY GOOD
While making bookings, users are provided with session time of 20 minutes. Users may or
may not be informed about it. If the terminal used by user remains ideal for more than 20
minutes, the server automatically cancel the current transaction of the user and directs him
to start again for security purposes.
If a user wishes to come back from a payment gateway while making payments, he will have
to start by opening of web browser again as payment gateways are operated by third
parties. This is good and increases security features.
One can also see MasterCard etc. security logos while making card payments for the given
transaction. These are the visible trust used by British Airways to enhance user trust so that users
can proceed without any doubt. Following is the screen shot of the various logos put up by the
British Airways.
My ratings for Security of webpage of British Airways-VERY GOOD
(Courtesy competetionrx.com)
Courtesy
(docs.ispconfig.org) (Courtesy onionlive.com)
VISIBLE TRUST POOR AVERAGE
( NO DIGITAL CERTIFICATE LOGO WITH POOR ( NO DIGITAL CERTIFICATE LOGO WITH GOOD
WEBSITE PRESENTATION) WEBSITE PRESENTATION)
COMPANY SHOULD BE LOOKING TO PUT UP
ITS DIGITAL CERTIFICATE ON ITS FRONT
PAGE
RESPONSE TIME VERY GOOD VERY GOOD
(THERE WERE NO DELAYS WHILE LOADING (ONE WILL GET VERY GOOD BROWSING SPEED
WEBPAGES OF AIRINDIA.COM) WITHOUT ANY DELAYS)
PRESENTATION OF AVERAGE VERY GOOD
WEBSITE (THE BOOKING PORTAL SHOULD BE CLEARLY (THE BOOKING PORTAL CAN BE SEEN AS ONE
HIGHLIGHTED WITH OTHER OPTIONS MADE OPENS THE WEBPAGE OF AIRLINES. GOOD
DISTINCT WITH EACH OTHER. VARIOUS PICS INTERACTIVE IMAGES WITH WELL DEFINED
AND FLASH PLAYER VIDEOS CAN BE USED) OPTIONS MAKES THE BROWSING EXPERIENCE
BOOKING PORTAL CAN BE HIGHLIGHTED & GOOD)
INTERACTIVE IMAGES AND FLASH
MESSAGES CAN BE PUT UP
CONTENT AVERAGE VERY GOOD
MANAGEMENT (COMPANY PROVIDES USER WITH ITS (THE INFORMATION IS EASY TO ACCESS AND
CONATCT DETAILS. EASY TO ACCESS ONE CAN EASILY SEE HELP AND CONTACTS
VARIOUS OFFERS. ONE CAN ALSO SEE TERMS THAT ARE WELL DEFINED. CAN EASILY
AND CONDITIONS AT LOWER END OF INFORMATION REGARDING REFUNDS,
WEBPAGE. FAQS ALSO HELP IN A NICE TRANSACTION BOUNCE ETC. FAQS ALSO HELP A
MANNER) LOT)
INFORMATION REGARDING VARIOUS
TOPICS CAN BE PRESENTED IN AN
INTERACTIVE MANNER
E-COMMERCE VERY GOOD AVERAGE
PLATFORM (COMPANY IS TRANSPARENT IN CHARGING (OFFERS CARD PAYMENTS OF VARIOUS CARD
FEES FOR BOOKING THROUGH CARDS AND TYPES AND A SECURED BOOKING PORTAL.
HAS A SECURED PAYMENT MODE) HOWEVER, COMPANY DOES NOT STATE FEES
COMPANY CAN ALSO LOOK FOR EMI PAYMENTS CHARGED FOR PAYMENT THROUGH CARDS)
BY AGREEING WITH VARIOUS BANKS
SECURITY VERY GOOD VERY GOOD
(SECURITY OFFERED IN VERY GOOD. APART (HAS EXCELLENT SECURITY FEATURES. ONE CAN
FROM ENCRYPTION AND DIGITAL SEE ENCRYPTION AND DIGITAL CERTIFICATES
CERTIFICATES, USERS ARE ALLOWED WITH AND MASTER CODE AND VISA SECURECODE
SESSIONS FOR BOOKING.ALSO, ONE HAS TO WHILE MAKING CARD PAYMENT. USERS ARE
START FROM FRESH IF HE WISHES TO COME PROVIDED SESSIONS FOR BOOKING)
BACK FROM A PAYMENT GATEWAY)
REFUND POLICY VERY GOOD VERY GOOD
(ASSURES CUSTOMER OF IMMEDIATE (ONE CAN GET INFORMATION REGARDING THIS
PAYMENTS. ONE CAN GO THROUGH FAQS IN VARIOUS FAQS SEARCH ENGINE. CONTACT
STATED FOR GETTING COMPLETE NUMBERS ARE ALSO GIVEN)
INFORMATION REGARDING THIS. VARIOUS
CONTACT NUMBERS ARE ALSO GIVEN)
14.1. GOINDIGO.com
The screenshot of front page of goindia.com can be seen as-
The company does not have an impressive front page. The various offers put up are placed
in a simple manner but are filled with very bright colours and may not be liked by many
customers.
The booking portal is not properly highlighted and is mixed between various options.
There are no interactive pictures and flash messages put up on the front page.
The airline has not put up any digital certificate logo which can prove authenticity of the
website.
The company has an excellent e-commerce platform. The company accepts MASTERCARD,
VISA and AMERICAN EXPRESS cards for payment. It also accepts debit card of selected banks.
Apart from these the airline offers NET BANKING facility and EMI facility for CITI BANK and
HDFC Banks.
Disclaimer and privacy policy of the airline can be viewed from front page. One can get much
information regarding his doubts from these.
A TOLL free number with certain e-mails have been put up by the company for contact by
users.
Encryption is used as a security procedure. One can also see MASTERCARD SECURECODE and
VERIFIED BY VISA logos while making card payments. Also, airline uses a proactive security
measure as it clearly states that users for security measures users IP address with the airline
is ****. This has been highlighted in the following screenshot-
14.2. MAKEMYTRIP.COM
Ping attack: This is where an illegitimate attention request or Ping is sent to a system, with the
return address being that of the target host (to be attacked). The intermediate system responds to
the ping request but responds to the unsuspecting victim system. If the receipt of such responses
becomes excessive, the target system will be unable to distinguish between legitimate and
illegitimate traffic.
Security for electronic transactions (SET): SET was originally supported by companies such as
MasterCard, VISA, Microsoft and Netscape and provides a means for enabling secure transactions
between purchaser, merchant (vendor) and bank.
Smart card: Smart cards look and feel like, credit cards, but have one important difference, they
have a programmable micro-chip embedded. Their uses are extremely varied but, for information
security, they are often used not only to authenticate the holder but also to present the range of
functions associated with that users profile.
Sniffers: A sniffer is a program which captures and analyses packets of data as it passes across a
network. Such programs are used by network administrators who wish to analyse loading across
network segments, especially where they suspect that spurious packets are bleeding from one
network to another.
Social engineering: Social engineering is a means by which information is extracted, usually verbally,
by someone impersonating a legitimate holder or user of the information in question.
Spam: Electronic equivalent of junk mail.
Spoofing: Alternative term for identity hacking and masquerading.
Threat: A threat is anything that can disrupt the operation, functioning, integrity, or availability of a
network or system.
Time-bomb: As the name suggests, a piece of hidden program code designed to run at some time in
the future, causing damage to, or loss of, the computer system.
Trojan horse: A Trojan horse is a malicious, security-breaking program that is disguised as something
benign, such as a directory lister, archiver, game. A Trojan is a type of virus that normally requires a
user to perform some action before the payload can be activated.
Virtual private network (VPN): A virtual private network emulates a private network over a public
network infrastructure, using specialist hardware and software.
Virus: A virus is a form of malicious code and as such is potentially disruptive. It may also be
transferred unknowingly from one computer to another.
Vulnerability: Vulnerability is an inherent weakness in the design, configuration, or implementation
of a network or system that renders it susceptible to a threat.
Worm: A worm is a malicious program that propagates itself over a network, reproducing itself as it
goes.