AIR INDIA

PROJECT REPORT ON E-COMMERCE AND ITS

IMPLEMENTATION IN AIRLINE INDUSTRY

SUBMITTED TO: SUBMITTED BY:

Computer-center Air India Ltd Sahil kalra

IGI Airport, Terminal-I, BBA,second Year(2012)
New Delhi-110037 FIMT ,GURGAON

Signature.
 PROJECT ON

E-COMMERCE AND ITS IMPLEMENTATION IN

AIRLINE INDUSTRY

Under the Guidance of

Computer-center Air India Ltd

IGI Airport, Terminal-I,
New Delhi-110037

T0
Department of Electronics and Communication Engineering

Fairfeild institute Management and technology , Gurgaon

Submitted by:
Sahil kalra

Fimt ,gurgaon

ACKNOWLEDGEMENT
I SAHIL KALRA , BBA (2th semester) student wants to give my heartiest thanks to Mr. VIJAY KUMAR,
AIR INDIA for his continuous support during my six week summer training at AIR INDIA. He gave his
helping hand whenever I faced any obstacle. I feel it is my proud privilege to express my most
sincere gratitude and indebtedness to Mr. VIJAY KUMAR who not only provide me technical help
but also spared his invaluable time in giving suggestions, comments through fruitful discussion me.
I would also like to thank General Manager of COMPUTER CENTER, AIR INDIA for allowing me to
have training under reputed people and in a very prestigious organization.

Sahil kalra
AIR INDIAS PROFILE
Air India is India's national flag carrier. Although air transport was born in India on February 18, 1911
when Henri Piquet, flying a Humber bi-plane, carried mail from Allahabad to Naini Junction, some six
miles away, the scheduled services in India, in the real sense, began on October 15, 1932. It was on
this day that J.R.D. Tata, the father of Civil Aviation in India and founder of Air India, took off from
Drigh Road Airport, Karachi, in a tiny, light single-engined de Havilland Puss Moth on his flight to
Mumbai (then known as Bombay) via Ahmedabad. He landed with his precious load of mail on a
grass strip at Juhu. At Mumbai, Neville Vintcent, a former RAF pilot who had come to India from
Britain three years earlier on a barn-storming tour, during which he had surveyed a number of
possible air routes, took over from J.R.D.Tata and flew the Puss Moth to Chennai (then Madras) via
Bellary.

In its ever-growing quest for providing direct services from various points in India, Air India currently
operates International Flights from Mumbai and 14 other Indian cities, viz. Ahmedabad, Amritsar,
Bangalore, Chennai, Delhi, Goa, Hyderabad, Kochi, Kolkata, Kozhikode, Lucknow, Varanasi, Gaya and
Thiruvananthapuram. Commencement of international operations from these cities has obviated, to
a very large extent, the need for passengers from these regions to necessarily travel to Mumbai and
Delhi, the traditional gateways, for taking international flights. Passengers boarding or deplaning in
these cities can now complete their immigration and custom formalities at their city airport, both at
the time of departure and arrival.

On the Domestic Front we operate to 62 stations out of which 17 are connected to our international
destinations. The 172-seater Airbus A321 aircraft connects all major metros, including all flights on
the Delhi-Mumbai sector. Spacious cabin, comfortable seats and the luxury of in-flight
entertainment make this a superior product that travellers look forward to. As more and more
A321s and A319s join the fleet, they will gradually replace the A320s which are currently deployed
on many domestic sectors. Convenient connectivity has been provided to/from major metros like
Chennai, Kolkata, Hyderabad and Bangalore for passengers booked on the Non Stop flights.
Increasing occupancy levels on the Non Stop flights is testimony to the popularity of this premium
product.
 INDEX
1. Introduction..............................................................................................................................7
2. E-Commerce...........................7
2.1. Advantages of e-commerce.....................7
2.2. Disadvantages of e-commerce...................8
3. Models of e-commerce..............................................................................................................8
3.1. Business to Business model................................................................................................8
3.2. Business to Consumer model.............................................................................................9
3.3. Consumer to consumer model............................................................................................9
3.4. Consumer to Business model............................................................................................10
3.5. Government to consumer model......................................................................................10
3.6. Consumer to government model......................................................................................10
4. Components of e-commerce Credit..........................................................................................11
4.1. Credit card......................................................................................................................11
4.1.1. Parties involved in credit card network.................................................................11
4.1.2. Issue of card.........................................................................................................11
4.1.3. How credit card processing works.........................................................................12
4.1.4. Advantages of credit card.....................................................................................13
4.1.5. Disadvantages of credit card................................................................................14
4.2. Debit card........................................................................................................................15
4.2.1. Types of debit card transaction.............................................................................15
4.2.2. How debit card processing works..........................................................................16
4.2.3. Advantages of debit card......................................................................................16
4.2.4. Disadvantages of debit card.................................................................................17
4.3. P-commerce.....................................................................................................................17
4.3.1. Processing flow diagram.......................................................................................18
4.3.2. Sequence of transaction in manual credit-card payment.......................................19
5. Channels of e-commerce.........................................................................................................20
5.1. Internet banking..............................................................................................................20
5.1.1. Features of internet banking.................................................................................20
5.1.2. Parties involved in net-banking.............................................................................20
5.1.3. Transfer schemes of net-banking..........................................................................21
5.1.4. System security used in net-baking.......................................................................23
5.1.5. Application of net-banking in online shopping......................................................24
5.2. Payment gateway...........................................................................................................24
6. Information security in e-commerce........................................................................................25
6.1. Confidentiality.................................................................................................................25
6.2. Integrity..........................................................................................................................26
6.3. Availability......................................................................................................................26
7. How an attacker can target the network.................................................................................27
8. Defences against the attack to network..................................................................................28
9. Technology implemented to merchant site to ensure security in e-commerce..........................30
9.1. Firewalls..........................................................................................................................30
9.2. Digital certificates...........................................................................................................32
9.3. Encryption.......................................................................................................................34
9.4. Public key infra-structure.................................................................................................34
9.5. Authentication and authorization....................................................................................35
9.6. Non-repudiation..............................................................................................................37
9.7. Transport layer security/secure socket layer....................................................................37
9.8. Proxy server.....................................................................................................................39
 9.9. Web server......................................................................................................................40
9.10. Anti-virus and anti-spam......................................................................................41
9.11. Spam filters..........................................................................................................43
9.12. IP security protocols.............................................................................................43
10. Technology implemented on customer site to ensure security.................................................44
10.1. Personal computer................................................................................................44
10.2. Virtual keyboard...................................................................................................44
10.3. Password protection.............................................................................................45
10.4. Authentication tools.............................................................................................46
10.5. Cookies.................................................................................................................47
10.6. Anti-virus and anti-spam......................................................................................48
10.7. Anti-spyware........................................................................................................48
10.8. Personal firewalls.................................................................................................48
11. Flow chart of security technologies.........................................................................................50
12. Summary of Technologies employed by both user and Merchant in Tabular form...................53
13. Study of comparison of e-commerce setup of Air-India and British-Airways............................54
13.1. Trust and response Time......................................................................................55
13.2. Content Management..........................................................................................56
13.3. E-commerce Platform...........................................................................................59
13.4. Privacy policy.......................................................................................................63
13.5. Security features..................................................................................................66
14. Comparison between airindia.com and britishairways.com in Tabular form...........................72
15. E-commerce status of some others websites...........................................................................73
15.1. Goindigo.com.......................................................................................................73
15.2. Makemytrip.com..................................................................................................74
16. Glossary of security Terms.......................................................................................................77

1. INTRODUCTION
Organisation start developing systems to carrying out business transactions using the World Wide
Web began with the emergence of internet. Electronic Commerce is one of the systems that
emerged as a very important application of the World Wide Web. Today it is difficult to find an
isolated computer. It is cheaper and faster to carry out business transactions within an organization
and among organizations electronically using the network connection. Thus it is important to
understand how business transactions are carried out electronically reliably and securely. When
designing information systems it is essential to understand the emerging web based transactions. A
number of organizations are exploring how to carry out all day-to-day operations electronically using
the intranet. So it is also called paperless system.

2. E-COMMERCE

E-commerce (i.e., electronic commerce) is the process of buying and selling goods or services
including information products and information retrieval services electronically rather than
through conventional means. . We use electronic means such as EDI (electronic data interchange),
electronic mail, bulletin boards, fax transmissions, electronic fund transfers and the internet.
Electronic commerce describes the buying and selling of products, services, and information via
computer networks. All organisations use Internet and the Web to conduct business transactions
between and among organizations and individuals .Internet providing a quick and convenient way
of exchanging goods and services both regionally and globally, e-commerce has boomed.

2.1. Advantages of E-commerce

We can buy and sell a variety of goods and services from one's home requiring a computer
with an internet connection.
Transactions can be carried anytime and anywhere around the world 24*7.
We can look for lowest possible cost for specific goods or service.
Businesses can reach out to worldwide clients.
The cost of creating, processing, distributing, storing and retrieving paper-based information
has decreased.
Payments through Electronic funds transfer are faster.
Supply chain management is simpler, faster, and cheaper using ecommerce
We can order from several vendors and monitor supplies simultaneously.
A check on production schedule and inventory of an organization can be implemented by
cooperating with supplier who can in-turn schedule their work.
There is no need of setting up a company physically. So e-commerce businesses have
become virtual multinational corporations.
With e-commerce systems single physical marketplace located in a geographical area has
now become a borderless marketplace including national and international markets.

2.2. Disadvantages of E-commerce

 Security in e-commerce may not be very good where viruses, hacker attacks can be used to
steal personal information regarding the customer.
Costs of implementing e-commerce business platform can become not so profitable for
smaller businesses.
Some goods such as perishable goods are difficult to be sold due to many inconveniences.
For e.g.:- transportation of eatables like ice-creams, vegetables etc. may cost more than
their actual cost.
Quality of product is not guaranteed as quality cannot be checked physically on internet. So
there is no guarantee of the product we get.
Delivery of goods may take longer time.
One knows nothing about the seller, hence can be tricked for money.
Mechanical failure of merchants server or customers system can cause unpredictable
effects.

3. MODELS OF E-COMMERCE
Depending on the parties involved in the transaction, e-commerce can be classified into 4 models
and these are:

Business to Business (B2B) model.

Business to Consumer (B2C) model.
Consumer to- Consumer (C2C) model.
Consumer to Business (C2B) model

3.1. Business-to-Business (B2B) Model

The B2B model involves electronic transactions for ordering, purchasing, as well as other
Administrative tasks between houses. It includes trading goods, such as business subscriptions,
professional services, manufacturing, and wholesale dealings. Sometimes in the B2B model, business
may exist between virtual companies, neither of which may have any physical existence. In such
cases, business is conducted only through the Internet. In short, B2B E-business is that in which a
business markets and sells to other businesses.

Let us look at the same example of www.amazon.com. As you know, www.amazon.com is an online
bookstore that sells books form various publishers including wrox, OReilly, Premier Press, and so on.
In this case, the publishers have the option of either developing their own site or displaying their
books on the Amazon site (www.amazon.com), or both. The publishers mainly choose to display
their books on www.amazon.com at it gives them a larger audience. Now, to do this, the publishers
need to transact with Amazon, involving business houses on both the ends, is the B2B model.
 3.2. Business-to-Consumer (B2C) Model

The B2C model involves transactions between business organizations and consumers. It applies to
any business organization that sells its products or services to consumers over the Internet. These
sites display product information in an online website and store it in a database. The B2C model also
includes services online banking, travel services, and health information. In short, B2C E-business is
that in which a business markets and sells directly to consumers.

Consider example in which a transaction is conducted between businesses Organization and a

consumer. A business house, Myntra Department Store, displays and sells arrange of products on
their Web site, www.Myntra.com.The details information of all their products is contained in the
huge catalog maintained by Myntra Department Stores. Now, a consumer, William Ward, wants to
buy a gift for his wife. He therefore, logs on to the site of Myntra Department Stores and selects a
gift from the catalog. He also gets the detailed information about the gift such as, the price,
availability, discounts, and so on from their catalog. Finally, when he decides to buy the gift, he
places an order for the gift on their Web site. To place an order, he needs to specify his personal and
credit card information on www.Myntra.com. This information is then validated by Myntra
Department Store and stored in their database. On verification of the information the order is
processed. Therefore, as you can see, the B2C model involves transactions between a consumer and
one or more business organizations.

3.3. Consumer-to-Consumer (C2C) Model

The C2C model involves transaction between consumers. Here, a consumer sells directly to
another consumer. In this model, some online auction Web sites like eBay that provide a consumer
to advertise and sell their products online to another consumer. However, it is essential that both
the seller and the buyer must register with the auction site. While the seller needs to pay a fixed fee
to the online auction house to sell their products, the buyer can bid without paying any fee. The site
brings the buyer and seller together to conduct deals. In short, C2C E-business is that in which a one
consumer markets and sells to another consumers through specific websites.
Let us now look at the previous figure with respect to eBay. When a customer plans to sell his
products to other customers on the Web site of eBay, he first needs to interact with an eBay site,
which in this case acts as a facilitator of the overall transaction. Then, the seller can host his product
on www.ebay.com, which in turn charges him for this. Any buyer can now browse the site of eBay to
search for the product he interested in. If the buyer comes across such a product, he places an order
for the same on the Web site of eBay. eBay now purchase the product from the seller and then, sells
it to the buyer. In this way, though the transaction is between two customers, an organization acts
as an interface between the two organizations.

3.4. Consumer-to-Business (C2B) Model

The C2B model involves a transaction that is conducted between a consumer and a business
Organization. It is similar to the B2C model, however, the difference is that in this case the consumer
is the seller and the business organization is the buyer. In this kind of a transaction, the consumers
decide the price of a particular product rather than the supplier. This category includes individuals
who sell products and services to organizations.
For example, www.monster.com is a Web site on which a consumer can post his bio-data for the
services he can offer. Any business organization that is interested in deploying the services of the
consumer can contact him and then employ him, if suitable.

3.5. Government to Consumer (G2C) Model

In this model, the government transacts with an individual consumer. Government can provide a
number of opportunities for customers to take advantage of various government offers. G2C
business involves everything from grants and loans to copies of property transactions and credit
reports. Government contracts can be very lucrative and constitute a huge market for government
to consumer businesses. Consumer to government markets are built by consumers looking for safe
investments through bonds and other safe investment vehicles. In the government to consumer
marketplace, consumers are protected by regulations and agencies that keep watch on the public
safety. Finally, G2C e-commerce is becoming more popular for citizens to purchase postage,
egistrations and permits via G2C websites. For example, a government can enforce laws pertaining
to tax payments on individual consumers over the Internet by using the G2C model.

3.6. Consumer to Government (C2G) Model

In this model, an individual consumer interacts with the government. For example, a consumer can
pay his income tax or house tax online. The transactions involved in this case are C2G transactions.

4. COMPONENTS OF E-COMMERCE

4.1. CREDIT CARD

The term credit card usually refers to a plastic card assigned to a cardholder, usually with a credit
limit, that can be used to purchase goods and services on credit or obtain cash advances. Credit
cards allow cardholders to pay for purchases made over a period of time. Credit card purchases
normally become payable after a free credit period, during which no interest or finance charge is
imposed. Interest is charged on the unpaid balance after the payment is due. Cardholders may pay
the entire amount due and save on the interest that would otherwise be charged. Credit card is
always provided with a sixteen digit numeric code, name of customer, 3 digit CVV number and
expiry date imprinted on it.

4.1.1. Parties involved in Credit card network:

Cardholders - persons who are authorized to use credit cards for the payment of goods and
services.
Card issuers - institutions which issue credit cards.
Merchants - entities which agree to accept credit cards for payment of goods and services.
Merchant acquirers Banks/NBFCs which enter into agreements with merchants to process
their credit card transactions.
Credit card associations - organisations that license card issuers to issue credit cards under
their trademark, e.g. Visa and MasterCard, and provide settlement services for their
members (i.e. card issuers and merchant acquirers).

4.1.2. Issue of cards

Banks issue the card to the customer on the basis of his financial background or on the
behalf of any cardholder in his family.
Banks should independently assess the credit risk while issuing cards to persons, especially
to students and others with no independent financial means. Add-on cards i.e. those that
are subsidiary to the principal card, may be issued with the clear understanding that the
liability will be that of the principal cardholder
Bank set the credit limit on the behalf of customers profile ,his salary, assets,
House and car.

4.1.3. How credit card processing works

Customer
1.
 Web Server
2.

Payment Gateway
3.

Credit card association

4.

Customer Bank Merchant bank

5.1 5.2

Merchant account
6.

Credit card processing workflow

Each of the steps below corresponds to one of the numbered boxes in the workflow
Diagram:
 All transactions start with a customer. In this case, box 1, the customer is online, typically
looking at an HTML form. This form collects the customer's credit card information and sends
it to the server for processing. The user fills out the form and then clicks Submit.
The server receives the information in the form that user submitted. The server then sends
the information to code that resides on the server for processing.
The processing code receives the information from the Web server and validates the data
entered by the user. If the data is valid, the code formats the data into a format that the
gateway can understand. The code then sends the formatted data to the gateway. In effect,
the code is asking the gateway whether the credit card is a good card and whether it can do
the transaction.
The gateway receives the formatted data from processor code, validates the card, and checks
to see whether the amount for the transaction is available in the user's account. If the card is
good and the funds are available, the gateway sends an approved message back to the code
(box 3); if the card is bad or the funds are not available, the gateway sends a declined
message back to the code. For providing this service, the gateway charges the merchant
money.
As transactions arrive at the gateway, they're batched through to the appropriate
clearinghouse. Box 4 shows some of the bigger clearinghouses. The clearinghouse that is used
is determined by the credit card type and the bank that issued the card. As the clearinghouses
receive transactions from all the gateways, the clearinghouses batch the transactions for all
the banks involved, transferring monies from bank to bank. For providing this service, the
clearinghouse takes between two percent and five percent of the total sale.
As the clearinghouses batch the transactions they receive, they transfer money from the
customer's bank (5.1) to the merchant's bank (5.2).
The merchant's bank receives the transactions from a clearinghouse and then transfers the
appropriate amount of money for the customer transaction (started in box 1) into the
Merchant's Card Not Present merchant account (6). For providing the Merchant account, the
bank will charge various fees.

4.1.4. Advantages of credit card

Purchase Power and Ease of Purchase - Credit cards can make it easier to buy things. If you
don't like to carry large amounts of cash with you or if a company doesn't accept cash
purchases (for example most airlines, hotels, and car rental agencies), putting purchases on
a credit card can make buying things easier.

Protection of Purchases - Credit cards may also offer you additional protection if something
you have bought is lost, damaged, or stolen. Both your credit card statement (and the credit
card company) can refund your amount that you have paid on purchase if the original
 receipt is lost or stolen. In addition, some credit card companies offer insurance on large
purchases.
Building a Credit Line - Having a good credit history is often important, not only when
applying for credit cards, but also when applying for things such as loans, rental applications,
or even some jobs. Having a credit card and using it wisely (making payments on time and in
full each month) will help you build a good credit history.
Emergencies - Credit cards can also be useful in times of emergency. While you should avoid
spending outside your budget (or money you don't have!), sometimes emergencies (such as
food or fire) may lead to a large purchase.
Others Benefits - In addition to the benefits listed above, some credit cards offer additional
benefits, such as discounts from particular stores or companies, bonuses such as free airline
miles or travel discounts, and special insurances (like travel or life insurance.)

4.1.5. Disadvantages of credit card

There is no problem of carrying cash along with. Hence, the customers get rid from risk of
cash lost.
Unbalancing Your Budget - The biggest disadvantage of credit cards is that they encourage
people to spend money that they don't have. Most credit cards do not require you to pay off
your balance each month, so even if you only have $100, you may be able to spend up to
$500 or $1,000 on your credit card. While this may seem like 'free money' at the time, you
will have to pay it off -- and the longer you wait, the more money you will owe since credit
card companies charge you interest each month on the money you have borrowed.
High Interest Rates and Increased Debt - Credit card companies charge you an enormous
amount of interest on each balance that you don't pay off at the end of each month. This is
how they make their money and this is how most people in the United States get into debt.
Credit Card Fraud - Like cash, sometimes credit cards can be stolen. They may be physically
stolen (if you lose your wallet) or someone may steal your credit card number (from a
receipt, over the phone) and use your card to rack up debts. The good news is that, unlike
cash, if you realize your credit card or number has been stolen and you report it to your
credit card company immediately, you will not be charged for any purchases that someone
else has made.
There are several things you can do to prevent credit card fraud:

If you lose your card or wallet, report it to your credit card company immediately.
Don't loan your credit card to anyone and only give out your credit card information
to trusted companies or Web sites.
Check your statement closely at the end of each month to make sure all charges are
yours.

4.2. Debit card

A Debit card is an electronic card issued by a bank which allows bank clients access to their account
to withdraw cash or pay for goods and services. This removes the need for bank clients to go to the
bank to remove cash from their account as they can now just go to an ATM or pay electronically at
merchant locations. This type of card, as a form of payment, also removes the need for checks as
the debit card immediately transfers money from the clients account to the business account.
Merchants may also offer cashback facilities to customers, where a customer can withdraw cash
along with their purchase.

4.2.1. Types of Debit card Transaction

Online transaction: A debit transaction is classified online when the cardholder's 4 digit PIN
number is entered at point of sale via a PIN pad on a credit card terminal. By entering the 4
digit PIN the transaction is routed through the debit network. Since the cardholder is
entering a 4 digit PIN number (only known by them) and the transaction is routed through
the debit network, merchants usually pay a lower rate to process a PIN based debit
transaction. Transactions conducted with online debit are reflected in users account
balances immediately. Card used in online transaction is called Pin-based debit card or True
debit card.

Offline transaction: An offline debit transaction happens when a 4 digit PIN number is not
entered. Since the 4 digit PIN is not being entered, the transaction is processed through the
Visa/MasterCard network which means the merchant would pay the same rate they would
on a normal credit card. Transactions conducted with offline debit cards require 23 days to
be reflected on users account balances. Card used in offline transaction is called Signature-
based debit card or Check debit card.

4.2.2. How debit card processing works

Debit Card transactions take place in much similar way as that of credit card. Various Steps in Debit
Card transactions are:-
 Transaction Flow of debit card

Card is first presented to the merchant.

Merchant sends transactional details to the acquiring bank.
The acquiring bank sends these details to credit card network (VISA or MASTERCARD) for
authentication of the card.
The Card network submits these details to the issuing bank.
The issuing bank pays amount of the transaction to the acquiring bank that then pays it to
the merchant.
The Acquiring bank acts as a payment gateway.

4.2.3. Advantages of debit cards

A consumer who is not credit worthy and may find it difficult or impossible to obtain a credit
card can more easily obtain a debit card, allowing him/her to make plastic transactions.
For most transactions, a check card can be used to avoid check writing altogether. Check cards
debit funds from the users account on the spot, thereby finalizing the transaction at the time of
purchase, and bypassing the requirement to pay a credit card bill at a later date.
Like credit cards, debit cards are accepted by merchants with less identification than personal
checks, thereby making transactions quicker.
Unlike a credit card, which charges higher fees and interest rates when a cash advance is
obtained, a debit card may be used to obtain cash from an ATM or a PIN-based transaction at no
extra charge, other than a foreign ATM fee.
In Pin-based debit card merchant also provide the facilities of cashback to customer in which an
amount is added to the total purchase price of a transaction paid by debit card and the
customer receives that amount in cash along with the purchase.
4.2.4. Disadvantages of debit cards

Use of a debit card is not usually limited to the existing funds in the account to which it is linked,
most of banks allow a certain threshold over the available bank balance which can cause
overdraft fees if the user's transaction does not reflect available balance.
Many banks are now charging over-limit fees or non-sufficient funds fees based upon pre-
authorizations, and even attempted but refused transactions by the merchant (some of which
may be unknown until later discovery by account holder).
 Many merchants mistakenly believe that amounts owed can be "taken" from a customer's
account after a debit card (or number) has been presented, without agreement as to date,
payee name, amount and currency, thus causing penalty fees for overdrafts, over-the-limit,
amounts not available causing further rejections or overdrafts, and rejected transactions by
some banks.
In some countries debit cards offer lower levels of security protection than credit cards. Theft of
the users PIN using skimming devices can be accomplished much easier with a PIN input than
with a signature-based credit transaction
In many places, laws protect the consumer from fraud much less than with a credit card. While
the holder of a credit card is legally responsible for only a minimal amount of a fraudulent
transaction made with a credit card, which is often waived by the bank, the consumer may be
held liable for hundreds of dollars, or even the entire value of fraudulent in debit transactions.
Because debit cards allow funds to be immediately transferred from an account when making a
purchase, the consumer also has a shorter time (usually just two days) to report such fraud to
the bank and recover the lost funds, whereas with a credit card, this time may be up to 60 days,
and the transactions are removed without losing any credit.

4.3. P-COMMERCE

P-commerce (i.e. Physical commerce) is subpart of e-commerce in which consumer deal with
merchant physically. It is same as e-commerce with difference in passing credit card information to
merchant. In e-commerce customer visit to merchants site and make payment by filling the
card(credit/debit) specification in the forum but in p-commerce customer give his card to merchant
physically(by hand) and merchant further pass card specification to payment gateway by swapping
of card on POS(point of sale)machine.

4.3.1. PROCESSING FLOW DIAGRAM

Customer

IF Not Authorized
Merchants POS Machine
 Acquiring Bank

Payment Gateway

Card Network (Visa,

Mastercard)

Issuer Bank

Decisional Box

IF Authorized IF Authorized

Issuers response to Payment Payment Gateways Response to

Gateway Merchant

Transfer Payment From issuers

account to acquirers Account Merchants Response to Customer
By Receipt

Payment Transferred From

Acquirers account to Merchants
Account Receipt signed By Customer

End End

4.3.2. Sequence of Transactions in Manual Credit Card Payment:

Customer presents credit card after purchase. Merchant swipes it on his special POS
machine and enters amount.
Data from merchants terminal goes to acquirer via a private telephone line.
Acquirer checks with the issuing bank validity of card and credit availability.
Acquirer authorizes sale if all OK and sends approval slip which is printed at merchants
terminal.
Merchant takes customers signature on the slip-verifies it with the signature on card and
delivers the goods.
 The acquirer pays the money to merchant and collects it from the appropriate issuing bank.
The bank sends monthly statement to customer and collects outstanding amount.

Credit and debit card processing begins with the customer presenting their card to the merchant for
payment, and ends when the merchant receives those funds from the processor. There are four
steps involved in the processing flow and they are: authorization, batching, settlement, and funding.

Authorization is basically the approval of a transaction from the card issuer. Once a
cardholder's information is submitted for payment, it travels to the merchant's acquirer
network. From the acquirers network, the information is sent to the card issuer for
authorization. The card issuer looks for validity of the card number, and ensures there are
adequate funds to cover the transaction. Once approved, the issuer sends back an
authorization number for the transaction. The entire process takes around 3 seconds. The
sale is complete, but there has been no exchange of money.

Batching is the storing of all authorized transactions. Batches are stored on the merchant's
equipment as memory. The merchant must send the batched transactions to the acquirer
before payment can be made. This is also known as "clearing the batch." Most merchants
clear their batch at the end of each business day.

Settlement occurs when the acquirer sends the entire batch, through the card association,
to the card issuers for payment. Issuers make payment for authorized transactions directly
to the acquirer through the Federal Reserve Bank's Automated Clearing House (ACH).

Funding of transaction monies occurs after the acquirer has received payment from the card
issuer. The merchant receives the transaction amount(s) minus the discount rate, which is
the fee the merchant pays the acquirer for processing the transaction. The discount rate
includes fees paid to card associations and card issuers.

5. CHANNELS OF E-COMMERCE

5.1. Internet Banking

Internet banking (or E-banking) allows customers of a financial institution to conduct financial
transaction on a secure website operated by the institution, which can be a virtual bank or retailer.
To access a financial institution's online banking facility, a customer having personal Internet access
must register with the institution for the service, and set up some password (under various names)
for customer verification. To access online banking, the customer would go to the financial
institution's website, and enter the online banking facility using the customer number and password.
Some financial institutions have set up additional security steps for secure accessing.

5.1.1. Features of Internet Banking:

It can perform some non-transactional tasks through online banking and some of these are:-
A customer can view his account balances.
One can view recent transactions.
A customer can download bank statements.
One can view images of prepaid cheques.
One can also order cheque books.

It can also perform some non-transactional tasks through online banking and some of these are:-
Funds can be transferred between customers linked accounts.
A customer can also pay third party i.e. paying bills.
We can make an online purchase or sale of a product.

5.1.2. Parties involved in Net-Banking:

Originator/Sender means the person who issues a payment instruction to the

Sending bank.
Sending/Originating bank means the branch of a bank, which receives payment instruction
from its customer for transfer of funds to the account with another beneficiary account in
NEFT.
SFMS message means an electronic SFMS (structured financial messaging system) message
of a batch of payment instructions for funds transfers, processed and consolidated in the
manner specified for transmission and communications concerning payment instructions.
NEFT Service Centre or pool center means an office or branch of a bank in a centre
designated by that bank to be responsible for processing, sending or receiving NEFT SFMS
message of that bank in that Centre and to do all other functions. NEFT Service Centre is
referred to as "Sending NEFT Service Centre" when it originates an NEFT SFMS message for
Funds Transfer. NEFT Service Centre is referred to as "Receiving NEFT Service Centre" when
it receives NEFT SFMS message from NEFT Centre.
NEFT Clearing Centre means any office designated by the Nodal Department in each of the
centres to which NEFT system is extended, for receiving, processing and sending the NEFT
SFMS message and the debiting and crediting of accounts of the participating banks
.National Clearing Cell, Nariman Point, Mumbai is being designed as the NEFT Clearing
Centre (NCC) for purposes of the NEFT System.
Beneficiary means the person designated as such whose account payment is directed to be
made in a payment instruction.
Beneficiary bank means the branch of the bank identified in a payment instruction which is
maintaining the account of the beneficiary.

5.1.3. Transfer Schemes of Internet Banking

NEFT (National Electronics Funds Transfer) scheme

National Electronic Funds Transfer (NEFT) is a nation-wide system that facilitates individuals, firms
and corporate to electronically transfer funds from any bank branch to any individual, firm or
corporate having an account with any other bank branch in the country. Funds transfer from on
account to another account is usually follows RBIs NEFT (National Electronics Funds Transfer)
scheme. He funds transfer in NEFT takes place within the same day if it is within the cut-off time and
the next working day if it is beyond the cut-off time prescribed.

It is a Batch settlement mode that operates on a deferred net settlement (DNS) basis which settles
transactions in batches. In DNS, the settlement takes place at a particular point of time. All
transactions are held up till that time. Any transaction initiated after a designated settlement time
would have to wait till the next designated settlement time. There is no minimum or maximum
transaction funds limit. For example, NEFT settlement takes place 6 times a day during the week
days (9.30 am,10.30 am, 12.00 noon. 1.00 pm, 3.00 pm and 4.00 pm) and 3 times during
Saturdays(9.30 am, 10.30 am and 12.00 noon).

The various steps involved in NEFT scheme are:-

A user wishing to transfer funds using NEFT scheme has to fill an application form provided
by the originating bank or users bank. Various details such as name of the beneficiary, his
bank where he has an account, IFSC (Indian Financial system code) of beneficiarys bank
branch, his account type, account number etc. The user authorizes amount to be taken
from his account and transfer it to beneficiary.
The originating bank will prepare a message and send it to its pooling center which is also
known as NEFT service center.
The pooling center will forward this message to NEFT Clearing Center to be included in the
next available batch. This Clearing Center is operated by National Clearing Cell, RBI, at
Mumbai.
The Clearing Center will sort funds transfer bank-wise and prepare accounting entries to
receive funds from originating bank and gives the funds to destination banks. The bank-wise
remittance messages are sent through their pooling centers.
The banks receive remittance messages from the Clearing Center and pass the funds to
beneficiarys account.

Originating Pooling Pooling Beneficiarys

Bank Center Center Bank

NEFT Clearing Center

RBI
 NEFT scheme by Reserve Bank of India

RTGS (Real Time Gross Settlement) scheme

There is another scheme which can be followed for transfer funds. RTGS stands for Real Time Gross
Settlement. This means that instructions for transactions are handled in real time at which they are
received rather than later. Gross Settlement means fund transfer instructions are processed
individually or instruction by instruction. This is different from NEFT because in NEFT, settlement
takes place in batches whereas in RTGS processing instructions are processed as soon as they are
received. The RTGS system is primarily meant for large value transactions. The minimum amount to
be remitted through RTGS is 2 lakhs. There is no upper limit for RTGS transactions.
The transfer flow of fund in RTGS is same as NEFT but within 2 hours of request. The RTGS service
window for customer's transactions is available from 9.00 hours to 16.30 hours on week days and
from 9.00 hours to 13.30 hours on Saturdays for settlement at the RBI end. However, the timings
that the banks follow may vary depending on the customer timings of the bank branches.

RTGS vs. NEFT

NEFT refers to National Electronic Funds Transfer. It is an online system for transferring funds from
one financial institution to another within India (usually banks). The fundamental difference
between RTGS and NEFT, is that while RTGS is based on gross settlement, NEFT is based on net-
settlement. Gross settlement is where a transaction is completed on a one-to-one basis without
bunching with other transactions. As for a Deferred Net Basis (DNS), or net-settlement, this is where
transactions are completed in batches at specific times. Here, all transfers will be held up until a
specific time. RTGS transactions are processed throughout the working hours of the system.
RTGS transactions involve large amounts of cash, basically only funds above Rs 100,000 may be
transferred using this system. For NEFT, any amount below Rs 100,000 may be transferred, and this
system is generally for smaller value transactions involving smaller amounts of money. NEFT scheme
complete the transaction within that day or on next day while in RTGS scheme complete its
transaction within 2 hours.

5.1.4. System Security used in Net Banking

Login ID and password: Each customer is provided with a User ID and Password. The
password is generated in such a way that it is only known to the customer. Without a valid
IPIN corresponding to the customer ID, access to customer account cannot be gained by
anyone. To provide enhanced security and safety we have introduced the Access Code. To
log in to Net Banking / Payment Gateway you would need to enter an additional password
i.e. youre 'Access Code'. This Access Code is to be generated online and will be sent
instantly to your preferred Email ID and Mobile Number registered with the Bank. Access
Code is valid up to 11:59 P.M. (valid up to 24 hours) of the day it is generated by you. Access
Code can be generated by entering your User ID / Nick Name and your Net Banking
Password and clicking on 'Generate Access Code' tab on the Access Code login page.
 Session out Security System: Protected by the most stringent security systems, Net Banking
allows you to transact over a completely secure medium. All your transactions travel via
256-bit SSL encrypted medium, the highest level of security on the internet. Many banks
such as HDFC Bank use systems those time out the customers login sessions to his Net
Banking account upon prolonged inactivity for protection against misuse.
Digital certificates: Web pages of many financial institutions are verified by Digital
Certificates provided by VeriSign, TCS, and MTNL etc. so that the customer can identify the
real web page of the financial institution and is not misled by fake websites.
Virtual keyboard: Many banks such as HDFC Bank use the feature of Virtual Keyboard while
logging into his Net Banking account. This protects the users password from being
compromised by key logger software installed on untrusted/shared computers e.g. cyber
cafes.
Instant Alerts: Various banks provide instant alert services like SMS or E-Mail alerts on
making every transactions. Alerts are also provided while adding beneficiary for carrying out
Third Party Transfer transactions.
Security tools: Many banks use security tools such as Firewalls and anti- malware systems to
ensure safety of its customers.

Few tips to ensure complete security of your account while using internet banking
Never disclose your Password to others.
Password should be random i.e. not something which can be easily guessed by others, like
your Date of Birth etc.
Do not write your password on pieces of paper, so cannot be read by others.
While logging in use virtual keyboard option this is option where there is image of keyboard
on your computer screen & you need to press appropriate keys on that virtual keyboard
using your mouse. The order of characters in the virtual keyboard changes every time. This is
to eliminate the risk of a hacker accessing your system.
Once you have finished your task, log-out properly from your account. If you do not,
anybody who uses the systems after you can misuse your account.
Immediately inform to bank in case of receiving message of transaction from bank, which is
not done by you.

5.1.5. Application of net banking in online-shopping

General steps involved in bill payment through net banking

The primary step is visiting the merchant website.
To view our outstanding bills, we are directed to bill desk. Bill Desk acts as payment
gateway.
We select Net Banking as payment mode and we are directed to our net banking account.
Here, user account details are entered. Users are generally asked to enter their Login ID with
password and verify the picture registered by user at the time of Net Banking registration.
Due amount is entered and paid.
The funds are transferred to merchant account.

MERCHANT
 Directed to
Due bills

BILL DESK
Details are
entered

NET BANKING
(Customers account)
Funds
transferred
to merchant
MERCHANT

Net Banking Account transaction Flow

5.2. PAYMENT GATEWAY

Payment gateway is connected to all customers, merchants and banks through Internet and
responsible for the speed and reliability and security of all transactions that take place. The payment
networks are the center of the cardholder transaction process and maintain the flow of information
and funds between issuing banks and acquiring banks.
In a typical cardholder transaction, the transaction data first moves from the merchant to the
acquiring bank (and through its card processor, if applicable), then to the Associations, and finally to
the issuing bank (and through its card processor, if applicable). The issuing bank ultimately bills the
cardholder for the amount of the sale. Clearing is the term used to refer to the successful
transmission of the sales transaction data. At this point, no money has changed hands; rather, only
financial liability has shifted. The merchant, however, needs to be paid for the sale.
Settlement is the term used to refer to the exchange of the actual funds for the transaction and its
associated fees. Funds to cover the transaction and pay the merchant flow in the opposite direction:
from the issuing bank to the Associations, to the acquiring bank, and finally to the merchant. The
merchant typically receives funds within a few days of the sales transaction.
 6. Information Security in e-commerce

Computer System and Network Security is most important in embedded systems like ATM machines,
Smartcards etc. Security is concerned with the ability of a system to prevent unauthorized access to
information or services. Confidentiality, Integrity and Availability are three fundamental objectives of
security. Though these objectives seem simple, the foolproof implementation is highly complex.
Authentication and access control techniques are used to provide confidentiality. Data encryption is
often used to provide Integrity. Confidentiality, Integrity and Availability is explained below in detail:

6.1. Confidentiality-

Confidentiality is ensuring that information is accessible only to those authorized to have access,
regardless of where the information is stored or how it is accessed. Confidentiality loss happens
when information can be viewed (read) by individuals who shouldn't access it. Loss of confidentiality
can happen physically or electronically. Electronic confidentiality loss can happen when the clients
and servers aren't encrypting their communications. This allows malicious entities to view private
communications. Physical confidential loss can happen through social engineering or through theft.
This typically means having laptops stolen. Confidentiality can be achieved by some of following
ways:

Access Control
Authentication by Passwords and Biometric

6.2. Integrity-

Data integrity is defined as safeguarding the accuracy and completeness of information and
processing methods from intentional, unauthorized or accidental changes. Integrity loss happens
when information is modified without the modification being authorized. This doesn't mean that an
unauthorized party has to cause the integrity loss to happen. The integrity loss due to an authorized
party doing something they shouldn't. An example would be a system administrator deleting an
account record they weren't authorized to delete. Integrity Loss can happen either accidentally or
through malicious intent. Malicious integrity loss can happen when a user purposely adds, deletes,
or modifies database records. This can occur either through an authorized party (someone who has
the access to actually modify the record) or by an unauthorized party when the user has access that
they shouldn't have. Accidental integrity loss happens when a system modifies or deletes records
that it shouldn't. This can happen when a virus infects a system or when a user does something that
he didn't intend to do. This is often why systems will verify that you want a file deleted, before it
actually does so. Data integrity can be maintained by any of following ways:
 Data Encryption.
Secure sockets layer/ Transport layer security (SSL/TLS) Techniques.
Auditing.

6.3. Availability-

Availability is the simple idea that when a user or system attempts to access something, it is
available to be accessed. This is extremely important for mission critical systems. Availability for
these systems are so critical that most companies have business continuity plans (BCP's) in order for
there systems to have redundancy. Just like confidentiality and integrity loss, availability loss can
happen by accident, a car crashing into a fiber pole disabling access to a system, or through
malicious intent, such as a Denial-of-Service attack. Availability to network can be maintained by
following ways:

Data Back-up plan.

Disaster recovery plan.
Business continuity plan or Business resumption plan.

7. How attacker can target the network

An e-Commerce system with several points that the attacker can target is following:
 Tricking the shopper-Some of the easiest and most profitable attacks is based on tricking
the shopper (customer), also known as social engineering techniques. These attacks involve
tracing of the shopper's behaviour, gathering information to use against the shopper. A
common scenario is that the attacker calls the shopper, pretending to be a representative
from a site visited, and extracts information. The attacker then calls a customer service
representative at the site, posing as the shopper and providing personal information. The
attacker then asks for the password to be reset to a specific value.
Another common form of social engineering attacks are phishing schemes. Attackers play on
the names of famous sites to collect authentication and registration information. For
example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A
shopper mistypes and enters the illegitimate site and provides confidential information.
Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites.
The link inside the email maps to a rogue site that collects the information.
Snooping the shopper's computer-Millions of computers is added to the Internet every
month. Most users' knowledge of security vulnerabilities of their systems is vague. In most
cases, enabling security features requires a non-technical user to read manuals written for
the technologist. The confused user does not attempt to enable the security features. This
creates a golden opportunity for attackers.
A popular technique for gaining entry into the shopper's system is to use a tool, such as
SATAN, to perform port scans on a computer that detect entry points into the machine.
Based on the opened ports found, the attacker can use various techniques to gain entry into
the user's system. Upon entry, they scan your file system for personal information, such as
passwords.
Sniffing the network-In this scheme, the attacker monitors the data between the shopper's
computer and the server. He collects data about the shopper or steals personal information,
such as credit card numbers. There are points in the network where this attack is more
practical than others. If the attacker sits in the middle of the network, then within the scope
of the Internet, this attack becomes impractical. A request from the client to the server
computer is broken up into small pieces known as packets as it leaves the client's computer
and is reconstructed at the server. The packets of a request are sent through different
routes. The attacker cannot access all the packets of a request and cannot reassemble what
message was sent, if he is in the middle of network. A more practical location for this attack
is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's
computer network the better choice because most wireless hubs are shipped with security
features disabled. This allows an attacker to easily scan unencrypted traffic from the user's
computer.
Guessing passwords-Another common attack is to guess a user's password. This style of
attack is manual or automated. Manual attacks are laborious, and only successful if the
attacker knows something about the shopper. For example, if the shopper uses their child's
name as the password. Automated attacks have a higher likelihood of success, because the
probability of guessing a user ID/password becomes more significant as the number of tries
increases. Tools exist that use all the words in the dictionary to test user ID/password
combinations, or that attack popular user ID/password combinations.
Using known server-The attacker analyzes the site to find what types of software are used
on the site. He then proceeds to find what security system were issued for the software.
Additionally, he searches on how to exploit systems without of security system. He proceeds
to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of
software, and tries to use that to exploit the system. This is a simple, but effective attack.
With millions of servers online, what is the probability that a system administrator forgot to
apply security systems?
 Using server root exploits-Root exploits refer to techniques that gain super user access to
the server. When you attack a shopper or his computer, you can only affect one individual.
With a root exploit, you gain control of the merchants and all the shoppers' information on
the site. There are two main types of root exploits: buffer overflow attacks and executing
scripts against a server. In a buffer overflow attack, the hacker takes advantage of specific
type of computer program bug that involves the allocation of storage during program
execution. The technique involves tricking the server into execute code written by the
attacker. The other technique uses knowledge of scripts that are executed by the server.
This is easily and freely found in the programming guides for the server. The attacker tries to
construct scripts in the URL of his browser to retrieve information from his server. This
technique is frequently used when the attacker is trying to retrieve data from the server's
database.

8. Defences against the attack to network

Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The
resources available to large companies involved in e-Commerce are enormous. These companies will
pursue every legal route to protect their customer. Defences available against attacks is shown
below

Education-Your system is only as secure as the people who use it. If a shopper chooses a
weak password, or does not keep their password confidential, then an attacker can pose as
that user. This is significant if the compromised password belongs to an administrator of the
system. In this case, there is likely physical security involved because the administrator client
may not be exposed outside the firewall. Users need to use good judgement when giving out
information, and be educated about possible phishing schemes and other social engineering
attacks.
Personal firewalls-When connecting your computer to a network, it becomes vulnerable to
attack. A personal firewall helps protect your computer by limiting the types of traffic
initiated by and directed to your computer. If personal firewall is not working then the
attacker can also scan the hard drive to detect any stored passwords.
Secure Socket Layer (SSL)-Secure Socket Layer (SSL) is a protocol that encrypts data between
the shopper's computer and the site's server. When an SSL-protected page is requested, the
browser identifies the server as a trusted entity and initiates a handshake to pass encryption
key information back and forth. Now, on subsequent requests to the server, the information
flowing back and forth is encrypted so that a hacker sniffing the network cannot read the
contents.
 The SSL certificate is issued to the server by a certificate authority authorized by the
government. When a request is made from the shopper's browser to the site's server using
https://..., the shopper's browser checks if this site has a certificate it can recognize. If the
site is not recognized by a trusted certificate authority, then the browser issues a warning to
the system.
Password policies-Ensure that password policies are enforced for shoppers and internal
users. A sample password policy, defined as part of the Federal Information Processing
Standard (FIPS), listed below

Maximum life-time of passwords - 180 days

Consecutive Unsuccessful login delay - 10 seconds
Maximum occurrence of consecutive characters - 3 characters
Minimum length of alphabet characters - 1 alphabetic character
Minimum length of numeric characters - 1 numeric character
Minimum length of password - 6 Characters
Account lockout threshold - 6 attempts

You may choose to have different policies for shoppers versus your internal users. For
example, you may choose to lockout an administrator after 3 failed login attempts instead of
6. These password policies protect against attacks that attempt to guess the user's
password. They ensure that passwords are sufficiently strong enough so that they cannot be
easily guessed. The account lockout capability ensures that an automated scheme cannot
make more than a few guesses before the account is locked.

9. Technology implemented on merchant site to ensure security in e-

commerce

9.1. Firewall
A firewall is a mechanism used to protect a trusted network from an un-trusted network, usually
while still allowing traffic between the two. Typically, the two networks in question are an
organization's internal (trusted) network and the (un-trusted) Internet or a firewall is a collection of
components or a system placed between two networks and possessing the following properties:
All traffic from inside to outside and vice-versa must pass through it.
Only authorized traffic as defined by administrative, is allowed to pass through it.
The system is highly resistant to penetration.
There are two types of firewalls:-

Host-Based Firewalls-Host-based firewalls are software firewalls installed on each individual

system. Depending on the software you choose, a host-based firewall can offer features
beyond those of network firewalls, such as protecting your computer from spyware (a
component of some free software that tracks your Web browsing habits) and Trojan horses
(a program that claims to do one thing, but does another, malicious thing, such as recording
your passwords). If you travel with a laptop, a host-based firewall is a necessityyou need
protection wherever you connect to the Internet, and your hardware firewall can protect
you only at home.
Why would you buy third-party firewall software when Windows XP includes ICF (Internet
connection firewall) for free? ICF is designed to provide basic intrusion prevention, but
doesnt include the rich features of a third-party firewall application. Most third-party
firewalls protect you from software that could violate your privacy or allow an attacker to
misuse your computerfeatures not found in ICF. Also, you can install third-party firewall
programs on systems that have older versions of Windows. Note that firewall software
doesnt replace antivirus software. You should use both. Popular host-based firewall
products include ZoneAlarm, Tiny Personal Firewall, Agnitum Outpost Firewall, Kerio
Personal Firewall, and Internet Security Systems BlackICE PC Protection.
Network Firewalls-Network firewalls protect an entire network by guarding the perimeter of
that network. Network firewalls forward traffic to and from computers on an internal
network, and filter that traffic based on the criteria the administrator has set. Network
firewalls come in two flavors: hardware firewalls and software firewalls.
Hardware based network firewalls can be purchased as a separate product. A
hardware firewall uses Packet filtering to examine the header of a packet to
determine its source and destination. This information is compared to a set of
predefined or user-created rules that determine whether the packet is to be
forwarded or dropped. A consumer can get manuals and other documents related to
firewall from the manufacturers webpage. Hardware-based network firewalls are
generally cheaper than software-based network firewalls, and are the right choice
for home users and many small businesses.
Software-based network firewalls can be installed on a computer and be
customized according to users wishes to control its functions and protection
features. A software firewall is generally used to protect users computer from
outside attacks such as Trojans and E-mail worms. The main disadvantage of
software firewalls is that each firewall protects computer on which it is installed and
not the other computer on the network. So, it becomes necessary to install software
 firewall on each computer. Software-based network firewalls often have a larger
feature set than hardware-based firewalls, and might fit the needs of larger
organizations.
Firewalls features

Firewalls as filters-The primary purpose of a firewall is to filter traffic. Firewalls inspect packets as
they pass through, and based on the criteria that the administrator has defined, the firewall allows
or denies each packet. Firewalls block everything that you havent specifically allowed. Routers with
filtering capabilities are a simplified example of a firewall. Administrators often configure them to
allow all outbound connections from the internal network, but to block all incoming traffic. You use
packet filters to instruct a firewall to drop traffic that meets certain criteria. For example, you could
create a filter that would drop all ping requests. By default, Microsoft ISA (Internet Security and
Acceleration) Server doesnt respond to ping queries on its external interface. You would need to
create a packet filter on the ISA Server computer for it to respond to a ping request.
The following are the main TCP/IP attributes used in implementing filtering rules:

Source IP addresses
Destination IP addresses
IP protocol
Source TCP and UDP ports
Destination TCP and UDP ports
The interface where the packet arrives
The interface where the packet is destined

Firewalls as gateway-Internet firewalls are often referred as secure internet gateways. Like the
walled city, they control access to and from the network. A firewall may consist of little more than a
filtering router as the controlled gateway. Traffic goes to the gateway instead of directly entering the
connected network. The gateway machine then passes the data, in accordance with access-control
policy, through a filter, to the other network or to another gateway machine connected to the other
network. Firewalls as a gateway can understand the traffic flowing through them and allow or deny
traffic based on the content. Host-based firewalls designed to block objectionable Web content
based on keywords contained in the Web page. You also use this to inspect packets bound for an
internal Web server to ensure the request isnt really an attack.

Firewall as proxy server- In computer network, a proxy server is a server (a computer system or an
application) that acts as an intermediary for requests from clients seeking resources from other
servers. A client connects to the proxy server, requesting some service, such as a file, connection,
web page, or other resource available from a different server. The proxy server evaluates the
request as a way to simplify and control their complexity.
How firewall Protect your PC
At their most basic, firewalls work like a filter between your computer/network and the Internet.
You can program what you want to get out and what you want to get in. Everything else is not
allowed. There are several different methods firewalls use to filter out information, and some are
used in combination. Firewalls can be used in a number of ways to add security to your home or
business. Large corporations often have very complex firewalls in place to protect their extensive
networks.

On the outbound side, firewalls can be configured to prevent employees from sending
certain types of emails or transmitting sensitive data outside of the network.

On the inbound side, firewalls can be programmed to prevent access to certain websites
(like social networking sites).

Additionally, firewalls can prevent outside computers from accessing computers inside the network.
For home use, firewalls work much more simply. The main goal of a personal firewall is to protect
your personal computer and private network from malicious mischief. Malware, malicious software,
is the primary threat to your home computer. Viruses are often the first type of malware that comes
to mind. A virus can be transmitted to your computer through email or over the Internet and can
quickly cause a lot of damage to your files. Other malware includes Trojan horse programs and
spyware. These programs are usually designed to acquire your personal information for the
purposes of identity theft of some kind. There is firewall that can prevent this from happening. It can
allow all traffic to pass through except data that meets a predetermined set of criteria, or it can
prohibit all traffic unless it meets a predetermined set of criteria.

9.2. Digital Certificates

A digital certificate is the electronic version of an ID card that establishes a persons credentials and
authenticates a connection when performing e-commerce transactions over the internet, using the
web.
Digital certificates are digital files that certify the identity of an individual or institution seeking
access to computer-based information. The main purpose of the digital certificate is to ensure that
the public key contained in the certificate belongs to the entity to which the certificate issued. It just
provides the certification to institution to access computer network. Encryption techniques using
public and private keys require a public-key infrastructure (PKI) to support the distribution and
identification of public keys. Digital certificates package public keys, information about the
algorithms used, owner or subject data, the digital signature of a Certificate Authority that has
verified the subject data, and a date range during which the certificate can be considered
valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a
commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-
mail name, or other such information.

A Digital Certificate typically contains the:

Owner's public key
Owner's name
Expiration date of the public key
Name of the issuer (the CA that issued the Digital Certificate
Serial number of the Digital Certificate
Digital signature of the issuer

The most widely accepted format for Digital Certificates is defined by the CCITT X.509 international
standard; thus certificates can be read or written by any application complying with X.509. Further
refinements are found in the PKCS standards and the PEM standard.

How a Digital Certificate Is Issued

Key Generation: The individual requesting certification (the applicant, not the CA) generates
key pairs of public and private keys.
Matching of Policy Information: The applicant packages the additional information necessary
for the CA to issue the certificate (such as proof of identity, tax ID number, e-mail address,
and so on). The precise definition of this information is up to the CA.
Sending of Public Keys and Information: The applicant sends the public keys and information
(often encrypted using the CA's public key) to the CA.
Verification of Information: The CA applies whatever policy rules it requires in order to verify
that the applicant should receive a certificate.
Certificate Creation: The CA creates a digital document with the appropriate information
(public keys, expiration date, and other data) and signs it using the CA's private key.
Sending of Certificate: The CA may send the certificate to the applicant, or post it publicly as
appropriate.
The certificate is loaded onto an individual's computer.

A digitally verified website can be checked using the following sign.

9.3. Encryption

The process by which data are temporarily re-arranged into an unreadable or unintelligible form for
confidentiality, transmission, or other security purposes. Although authentication and authorization
are usually tightly integrated, encryption functions in its own sphere. It serves to complement
authentication/authorization by protecting data between authorized entities, and it can work
independently to protect resources in case authentication/authorization fails to protect those
resources from unauthorized users. What we commonly refer to in IT as "encryption" is actually a
two-step process of encryption and decryption. Of course, encryption is the process of packaging
sensitive data and decryption is the process of un-packaging it. Encryption converts data into coded
cipher text and then bundles it with an encryption key that is produced by an algorithm. Once the
data reaches its destination, it can be decrypted using the proper decryption key. The strength of the
encryption key determines how difficult it is for a criminal to break the encryption process without
the decryption key. The stronger the encryption algorithm is, the more difficult it is to hack.
Currently, 128-bit encryption is the de facto minimum standard for strong encryption.
However, stronger versions, including156-bit and 192-bit encryption, are beginning to make in ultra-
secure environments. Three common examples of how encryption is utilized are VPN(virtual private
network) for remote access, SSL for secure Web transactions, and EFS (Windows 2000's encrypting
file system) for locking down files and folders.

With VPN, remote users are authenticated and authorized to access remote systems, and
then a secure "tunnel" is created by encapsulating and encrypting packets between the
source and destination systems.
With SSL, confidential user data such as names, addresses, social security numbers, and
credit cards are encrypted during data transfer between a user and a Web site to ensure
secure communications.
When locking down files, as is the case in Windows 2000 with EFS, files and folders are
stored in an encrypted form and can only be opened by valid users who have access to the
decryption key. Special recovery agents can be created by the user who encrypts the file,
which is especially valuable for securing highly confidential files even if a hard disk is stolen
by a criminal.

9.4. Public key infrastructure

Public key infrastructure (PKI) is the use and management of cryptographic keys a public key and a
private key for the secure transmission and authentication of data across public networks.
In public key cryptography there are two different keys, one used to encipher data and the other
used to decipher it. While one of these keys is kept private, the other is made public, and the system
is designed so that knowledge of the public key does not allow the private key value to be
determined. Normally it is assumed that the private key is controlled by just one person who will be
referred to here as the keyholder.
Public key cryptography can be used to achieve either confidentiality or digital signature.
Confidentiality is provided when the deciphering key is kept private and the enciphering key is made
public, so that anyone with the public key can encipher a message that only the keyholder can
decipher. A digital signature is provided when the enciphering key is kept private and the
deciphering key is made public, so that anyone with the public key can decipher a message that only
the keyholder could have enciphered. With a correctly verified digital signature, we know that the
signed object has not been modified since the signature was made and that this was done with a
specific private key.
 In public key encryption, two different keys are used to encrypt and decrypt information.
The private key is a key that is known only to its owner, while the public key can be made
known and available to other entities on the network.
The two keys are different but complementary in function. For example, a user's public key
can be published within a certificate in a folder so that it is accessible to other people in the
organization. The sender of a message can retrieve the user's certificate from Active
Directory Domain Services, obtain the public key from the certificate, and then encrypt the
message by using the recipient's public key. Information that is encrypted with the public
key can be decrypted only by using the corresponding private key of the set, which remains
with its owner, the recipient of the message.

9.5. Authentication and Authorization-

Authentication is the process of verifying that someone (or something) is who they claim to be. The
some-one or something is known as a principal. Authentication requires evidence, known
as credentials. For example, a client application could present a password as its credentials. If the
client application presents the correct credentials, it is assumed to be who it claims to be. Of course
if your credentials are stolen, all bets are offthe authentication process can't tell that an imposter
is presenting your credentials. Some credentials, like thumbprints, are hard to stolen others, like
passwords, are easier to stolen. So an important consideration in designing a secure Web Service is
deciding what kind of credentials to accept. Methods through which authentication can be achieved:

Usernames and Passwords authentication

Passwords and their safekeeping are a fundamental element to authenticate you against network
security. Username and passwords is most common way of users to identify them. Unfortunately, as
we all know, this is not a foolproof approach to verifying identity. Hackers can often find ways to
guess passwords or use various attack methods to crack passwords. As a result, IT departments
employ various means to strengthen authentication mechanisms and these are:

How to select passwords that are secure and easy to remember.

How to set up good passwords as per password policy.
You need to use your operating systems to enforce the password character requirements
(such as six letters and two numbers).
Passwords need to be frequently changed.

Biometrics authentication
Usernames and passwords are software mechanisms for authentication. The next step in
authentication technology is the integration of hardware mechanisms, which are not as easy to
crack. Biometric is one of developing hardware authentication technology. Biometric technology can
identify individuals based on the physical characteristics of human body part. The primary biometric
technologies in use are retina scanning, facial reorganization, voice reorganization and fingerprint
scanning. Additional security measure is in the form of smart cards, in which users have smart card
readers at their workstations and swipe their card and enter their PIN, rather than providing a
username and password. This type of information is very difficult to duplicate and create a very good
defence against unauthorized access

Some others tools required for secure authentication is:

Logging Id and password- check validity of user if registered, otherwise register yourself
before access.
Transaction password- This is special password generated before any transaction on your
registered mobile number.
Security Questions- these are questions preset by user during registration and asked to user
to check the right person.
Pre-set images- this image is set by user during registration and it used to check that the
website is genuine or fake.
Instant alert- this is way to inform user about transaction details that happens in his
account instantly via SMS or e-mail.
Alpha-numeric code- this is code used to check that it really a human who access the web-
site or any other attackers written program code.

Authorization-Once a principal's identity is authenticated, authorization decisions can be made.

Access is determined by checking information about the principal against some access control
information, such as an Access Control List (ACL). It's possible for clients to have different degrees of
access. For example, some clients may have full access to your Web Service; others may only be
allowed to access certain operations. Some clients may be allowed full access to all data, others may
only be allowed to access a subset of the data, and others may have read-only access. This process
of authorization is in the form of user permissions in operating systems, devices and application. In
general, authorization and technologies used to implement it are tightly bound to authentication,
since a user must be identified before being authorized to have access to certain resources.

9.6. Non-repudiation
Non-repudiation is the assurance that someone cannot deny something. Typically, non-repudiation
refers to the ability to ensure that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a message that they originated. E-
commerce uses technology such as digital signatures, Digital certificates and public key encryption to
establish authenticity and non-repudiation.
Traditionally non-repudiation has been achieved by having parties sign contracts and then
have the contracts notarized by trusted third parties. Sending documents involved the use of
registered mail, and postmarks and signatures to date-stamp and record the process of
transmission and acceptance.
Digital signatures which have been issued by a trusted authority (such as VeriSign) cannot
be forged and their validity can be checked with any major email or web browser software.
A digital signature is only installed in the personal computer of its owner, who is usually
required to provide a password to make use of the digital signature to encrypt or digitally
sign their communications.
 On the Internet, a digital signatures is used not only to ensure that a message or document
has been electronically signed by the person that purported to sign the document, but also,
since a digital signature can only be created by one person, to ensure that a person cannot
later deny that they furnished the signature.
Since no security technology is absolutely fool-proof, some experts warn that a digital
signature alone may not always guarantee non-repudiation. It is suggested that multiple
approaches be used, such as capturing unique biometric information and other data about
the sender or signer that collectively would be difficult to repudiate.
Email non-repudiation involves methods such as email tracking that is designed to ensure
that the sender cannot deny having sent a message and/or that the recipient cannot deny
having received it.

9.7. Transport layer security/ secure socket layer protocols

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols that provide communication security over the internet. SSL/TLS creates a secure
connection between a client and a server, over which any amount of data can be sent securely.
Secure Socket Layer, a protocol developed by Netscape for transmitting private documents via
the internet.SSL uses a cryptographic system that uses two keys to encrypt dataa public key known
to everyone and a private or secret key known only to the recipient of the message. By
convention, URLs that require an SSL connection start with https: instead of http:

Once the client and server have decided to use TLS/SSL, then the steps followed by both parties to
ensure secure communication are:

1. The client sends the server the client's SSL version number, cipher settings, session-specific
data, and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL.
The server also sends its own certificate, and if the client is requesting a server resource
that requires client authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the
problem and informed that an encrypted and authenticated connection cannot be
established. If the server can be successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session,
encrypts it with the server's public key (obtained from the server's certificate, sent in step
2), and then sends the encrypted pre-master secret to the server.
5. If the server has requested client authentication, the client also signs another piece of data
that is unique to this handshake and the client's own certificate to the server along with the
encrypted pre-master secret. If the client cannot be authenticated, the session ends.
 6. If the client can be successfully authenticated, the server uses its private key to decrypt the
pre-master secret, and then performs a series of steps (which the client also performs,
starting from the same pre-master secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session
and to verify its integrity.
8. The client sends a message to the server informing it that future messages from the client
will be encrypted with the session key. It then sends a separate (encrypted) message
indicating that the client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server
will be encrypted with the session key. It then sends a separate (encrypted) message
indicating that the server portion of the handshake is finished.

9.8. Proxy servers

During a HTTP connection, the IP address of the client machine is necessarily transmitted in order to
get the information back. This allows a server to identify the source of the web request. Any
resource you access can gather personal information about you through your unique IP address -
your ID in the Internet. They can monitor your reading interests, spy upon you and log your requests
for third parties. An anonymous proxy server as a middleman between your browser and an end
server. Instead of contacting the end server directly to get a web page, the browser contacts the
proxy server, which forwards the request on to the end server. When the end server replies, the
proxy server sends the reply to the browser. No direct communication occurs between the client and
the destination server, therefore it appears as if the HTTP request originated from the intermediate
server. The only way to trace the connection to the originating client would be to access the logs on
the proxy server (if it keeps any).

Types of proxy servers

Tunneling proxy-A proxy server that passes requests and responses unmodified is usually
called a tunneling proxy.
 Forward proxy-forward proxy taking requests from an internal network and forwarding
them to the internet .Forward proxies are able to retrieve from a wide range of sources (in
most cases anywhere on the Internet).

Open proxy-An open proxy is a forwarding proxy server that is accessible by any Internet
user. An anonymous open proxy allows users to conceal their IP address while browsing the
Web or using other Internet services.

Reverse proxy-A reverse proxy taking requests from the Internet and forwarding them to
servers in an internal network. Those making requests connect to the proxy and may not be
aware of the internal network. A reverse proxy is a proxy server that appears to clients to be
an ordinary server. Requests are forwarded to one or more origin servers which handle the
request. The response is returned as if it came directly from the web server. Reverse proxies
are installed in the neighbourhood of one or more web servers. All traffic coming from the
Internet and with a destination of one of the neighbourhoods web servers goes through the
proxy server.

A proxy server has a variety of potential purposes, including:

To keep machines behind it anonymous, mainly for security.

To speed up access to resources (using caching). Web proxies are commonly used to cache web
pages from a web server.
To apply access policy to network services or content, e.g. to block undesired sites.
To access sites prohibited or filtered by your ISP or institution.
To log / audit usage, i.e. to provide company employee Internet usage reporting.
To bypass security / parental controls.
To circumvent Internet filtering to access content otherwise blocked by governments.
To scan transmitted malware content before delivery.
To scan outbound content, e.g., for data loss prevention.
To allow a web site to make web requests to externally hosted resources (e.g. images, music
files, etc.) when cross-domain restrictions prohibit the web site from linking directly to the
outside domains.

9.9. Web server

Web server is the combination of both hardware as well as software, because to build a web
server we need computer (Hardware) and some sort of software (software application) which
enables the world to access content.
A web server is the combination of computer and the program installed on it. Web server
interacts with the client through a web browser. It delivers the web pages to the client through
web browser and the HTTP protocols respectively. We can also define the web server as the
package of large number of programs installed on a computer connected to Internet or intranet
for downloading the requested files using File Transfer Protocol, serving e-mail and building and
publishing web pages. A web server works on a client server model. A computer connected to the
Internet or intranet must have a server program.

A computer connected to the Internet for providing the services to a small company or a
departmental store may contain the HTTP server (to access and store the web pages and files),
SMTP server (to support mail services), FTP server (for files downloading) and NNTP server (for
newsgroup). The computer containing all the above servers is called the web server. Internet
service providers and large companies may have all the servers like HTTP server, SMTP server, FTP
server and many more on separate machines.

How a web-server works

First, it's important to note that this is a two-sided story. Web servers are responsible for storing and
exchanging information with other machines. Because of this, at least two participants are required
for each exchange of information: a client, which requests the information, and a server, which
stores it. In the case of the client, a browser like Netscape or Internet Explorer is used. On the server
side, however, things are not as simple. There is a countless software options available, but they all
have a similar task: to negotiate data transfers between clients and servers via Hypertext Transfer
Protocol, the communications protocol of the Web.

A simple exchange between client and server machine is go like this:

The client's browser dissects the URL in to a number of separate parts, including address,
path name and protocol.
A Domain Name Server (DNS) translates the domain name the user has entered in to its IP
address, a numeric combination that represents the site's true address on the Internet (a
domain name is merely a "front" to make site addresses easier to remember).
The browser now determines which protocol (the language client machines use to
communicate with servers) should be used. Examples of protocols include FTP, or File
Transfer Protocol, and HTTP, Hypertext Transfer Protocol.
The server now responds to the browser's requests. It verifies that the given address exists,
finds the necessary files, runs the appropriate scripts, and returns the results back to the
browser. If it cannot locate the file, the server sends an error message to the client.
The browser translates the data it has been given in to HTML and displays the results to the
user.
This process is repeated until the client browser leaves the site.
Hence, these servers become an integral part of e-commerce and acts as a backbone of e-commerce
setup. So, apart from security measures used many web servers have a parallel server connected to
them. This is done so that even if one server fails, the other server handles all the traffic on crashed
server.

Parallel connection to each other

 Primary Secondary
server server

Here, in the above figures we can see that there are two similar servers attached to each other.
So even if one of the servers fails, the other server can handle all the traffic without interrupting e-
commerce transactions.

9.10. Antivirus and Anti-spam

Antivirus is generally a software program that continuously monitors database files and services of
computer programs stored on the server for any suspicious behaviour and takes necessary steps to
eliminate infection by viruses and malicious software. Anti-virus software typically uses two different
techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary.

Identifying suspicious behaviour from any computer program which might indicate infection.

In Virus dictionary approach - the antivirus continuously monitors files on servers and computer
programs and compares them with a list of predefined viruses and malicious codes. This list of
predefined viruses is made available by the author of the antivirus. While scanning, if a file on server
matches with virus on the list, the antivirus can either remove it or block that file so that virus does
not affect other files or computer programs. Antivirus may even make an attempt to repair the file
by removing virus from it. However, for continuous safety, list of viruses must be regularly updated
for upcoming viruses regularly coming up. The antivirus can also be scheduled to scan all files on a
regular basis.

Suspicious behaviour approach, the antivirus does not try to match scanned file to the list, rather it
monitors the behaviour of all programs. For example, if a program tries to write data to an
executable program, this is said as suspicious behaviour and the user is alerted and asked what to
do. Thus, the suspicious behaviour approach therefore provides protection against new viruses that
do not exist in any virus dictionaries. However, it also sounds a large number of false positives, and
users probably become desensitized to all the warnings. If the user clicks "Accept" on every such
warning, then the anti-virus software is obviously useless to that user.

Anti-spam-Email spam which is also known as junk email, is identical message sent to numerous
recipients by email. Clicking on links in spam email may send users to phishing web sites or sites that
are hosting malware. Spam email may also include malware as scripts or other executable file
attachments. Definitions of spam usually include the aspects that email is unsolicited and sent in
bulk. To prevent email-spam , both end users and administrators of email systems use various anti-
spam techniques. Some of these techniques have been embedded in products, services and
software to ease the burden on users and administrators. No one technique is a complete solution
to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not
rejecting all spam, and the associated costs in time and effort. There are various spam techniques
that have been created and implemented since spam started infiltrating peoples inboxes.

9.11. Spam Filters

Spam filters work using a combination of techniques in order to filter through the messages and
separate the genuine messages from the junk mail. These techniques would rely on the following
measures:

Word lists Lists of words that are known to be associated with spam and are commonly found in
unsolicited mail messages.

Blacklists and White-lists These lists contain known IP addresses of spam senders (blacklists) and
non-spam senders (e.g. friends and family). Therefore addresses that form part of your contact list
are automatically registered as white-list and any emails originating from these email addresses will
be sent directly to your inbox.

Trend Analysis By analyzing the history of email sent from an individual, trends can help assess the
likelihood of an email being genuine or spam. This can be an effective technique to help reduce false
positives and improve spam detection rates.

Learning or Content filters Learning filters, such as Bayesian filtering, examine the content of each
email sent to and from an email address, and by learning word frequencies and patterns associated
with both spam and non-spam messages, it is able to recognize which messages are valid and should
therefore be directed towards the inbox, and which are spam and should be sent to Junk.

These techniques all work together to ensure an effective anti-spam technique. By using just one
method one risks losing out on valid emails.

9.12. IP Security Protocol (IPSec)

Internet Protocol Security (IPSec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session. IPSec
also includes protocols for establishing mutual authentication between agents at the beginning of
the session and negotiation of cryptographic keys to be used during the session. IPSec is an end-to-
end security scheme operating in the Internet Layer of the Internet Protocol Suite. Some other
Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer
Security (TLS), operate in the upper layers of the TCP/IP model.
IPSec Operation-When two computers (peers) use IPSec to communicate, they create two kinds of
security associations. In the first, called main mode or phase one, the peers mutually authenticate
themselves to each other, thus establishing trust between the computers. In the second, called quick
mode or phase two, the peers will discuss the particulars of the security association, including how
they will digitally sign and encrypt traffic between them. Packet signing ensures that the data hasnt
been tampered with in transit; packet encryption ensures that the data isnt vulnerable to
eavesdropping attacks.
A computer can have only one IPSec policy assigned at a time. The policy can have any number
of rules, each of which has a filter list and a filter action. Filter lists contain one or more filters that
specify the characteristics of the traffic such as: source and destination addresses, source and
destination port numbers, and protocol types. Filter actions specify the behaviours of the rule:
whether to permit traffic, block traffic, or negotiate the pair of IPSec security associations. Actions
that specify negotiating security can have many options, including encryption suites, per-packet
authentication methods, how often to generate new keys, how to respond to incoming insecure
requests, and whether to communicate with computers that dont support IPSec. Each rule in an
IPSec policy combines one filter list with one filter action. Traffic that matches a particular filter list is
processed according to the settings in the linked filter action. Rules also indicate the security
associations mode (transport or tunnel, explained later) and one of three phase one authentication
methods:
How IPSec is different from ssl

IPSec is implemented by the operating system and is transparent to those application those
utilizing it while SSL is visible to user.
SSl cannot be utilized to encrypt all the types of data communicated between two hosts
while IPSec can be utilized to secure most types of network communication.
SSL can only be used to encrypt communication between two hosts, while IPSec can tunnel
communication between them.
For authentication, IPSec utilizes public key certificates or shared secret while SSL has to
utilize public key certificates.
With IPSec, the server and the client need to be authenticated. With SSL, either the server,
or the client, or both the server and client need to be authenticated.

10. Technological implemented on customers site to ensure security

10.1. Personal Computer

Personal computer is a must to do an online transaction. It is also said to be a best scenario when a
consumer buys a product online using his personal computer. PCs are private devices and therefore
our personal details such as passwords, credit card numbers etc. cannot be leaked to anyone else.
There are two main areas of risk when using a public terminal. First someone may be using a session
logger to record the flow of data between the PC you are using and the websites you visit. Second
there may be a key-logger fitted to the PC that allows someone to capture your keystrokes and
sometimes your mouse clicks and screen session as well. So it is advised to avoid the use of public
terminals (computers) during any E-commerce deal.
Some Computer security tips:

Use licensed software on your computer-Unlicensed software procured from untrustworthy

sources could have malicious programs such as virus or trojans that may damage your
computer by corrupting your files or may reveal your confidential data such as passwords of
your various accounts, Credit/Debit card numbers, etc without your knowledge to the owner
of that software.

Do not allow unauthorised access to you computer-Unauthorised access to your computer

could lead to compromise of your confidential data stored on your computer.
 Update your computer with latest security patches-Install latest security patches for your
operating system and other components like browser, email client, etc as released by your
computer's operating system vendor. Keep your computer updated periodically of security
patches and protect your computer from intrusions.

10.2. Virtual Keyboards

A virtual keyboard is a software component that allows a user to enter characters. A virtual
keyboard can usually be operated with multiple input devices, which may include a touch screen, an
actual keyboard and a computer mouse. It is mostly useful on the Net-Banking login screen. User is
required to click on the key buttons on the screen to input the Net-Banking Login password, instead
of using the physical keyboard attached to the PC

Virtual Keyboard
Why we use virtual password
To trace our personal details, hacker can place a hardware circuit between keyboards and
computers for key-logging. All the keystrokes can be stored and stored for later use. There are some
Trojans available in the market that can note and store the keystrokes and send them to the hacker
trying to steal the password. Once these are activated, they can note passwords entered online and
generally work in the background without the user coming to know about them. This can create a
problem as our password can be taken and thus break the security.
Thus, by using virtual keyboards we can eliminate use of traditional keyboard for entering sensitive
information such as password, credit card number etc. The virtual keyboard reduces risks and makes
e-Banking login secure and supports a secure online banking experience It ensure the users account
information (user id & password) is protected from hackers. However, virtual keyboards may
present disadvantage that some Trojans can take screenshots of keys pressed of the virtual
keyboard. So, anti screen shot virtual keyboards can be used where pattern of keys gets
continuously changed every time we press a keyboard key.

How virtual keyboard works

As soon as you come onto the e-Banking login page, you can enter your User ID by using the physical
keyboard. On moving to the login password tab, will be asked to use the virtual keyboard to enter
the same You can enter the login password by clicking on the corresponding images on the screen
Alphabets, numbers and special characters are grouped separately for ease of
identification/selection If you need to erase a character entered, just click on the "Erase" button to
remove the last character clicked. If you need to clear all characters entered, just click on the "Clear"
button to remove all the character clicked
 10.3. Password protection
Passwords are used for security purposes so that any other person is not able to misuse users
authority. Passwords are like keys and are unique to a particular user. One cannot use his account
without entering his password so that anyone else cannot log into users account. Hence, passwords
can be used to verify users identity. However, care must be taken with ones password and must be
kept secured. Some dos and donts for a user are:-

Dos
Create different passwords for different accounts and applications.
Change your passwords regularly.
Keep the password within ourselves, do not disclose it.
Keep your passwords easy, so we dont have to keep it in written.
Do use a combination of uppercase and lowercase letters, symbols, and numbers.
Do try to make your passwords as meaningless and random as possible.

Donts
Don't answer "yes" when prompted to save your password to a particular computer's
browser. Instead, rely on a strong password committed to memory or stored in a
dependable password management program.
Dont use same password for various accounts and applications.
Don't use a derivative of your name, the name of a family member, or the name of a pet.
Don't use names or numbers associated with you, such as a birth date or nickname.
Don't use a solitary word in any language. Hackers have dictionary-based tools to crack
these types of passwords.
Dont write your password anywhere and dont disclose it.

10.4. Authentications tools

Before any secure connection one may require following tools to authenticate itself and sever both
and these are:-
Login IDs - These are generally user name or e-mail address of the user created by him
during registration wanting to access facilities. These are unique for a particular user and
are used for verification of the valid user.
Login password - These are associated with the login ID and are also unique for a particular
user. It is also created by user himself according to his wish during registration. The user
must not disclose his password.
Transaction Password - These are generally on time passwords that are required to be
entered at the time of transactions. These passwords are generated at the time of
transaction and sent to the user on his registered e-mail address or phone number via e-
mail or SMS. These passwords remain valid only for a short period of time.
 Security Questions - These are questions set by the user at the time of registration. The
user may choose questions of his type. The answers to these questions are unique to the
user and these may be used for the security purposes. These security questions are also
helpful in case of password lost or stolen.
Alpha-numeric code- A special code which is generated on display and is asked to fill as
compulsory. This code consist a sequence of numeric or alphabet and it is changes every
time whenever you log-in. This is code used to check that it really a human who access the
web-site or any other attackers written program code.
Pre-set images - These are images selected by the user at the time of registration. These
images appear at the time when user logs in. These images are used for the purpose that
the user can verify these images and ensure that the website to which he is dealing is not
fake. Pre-set image is used to authenticate the server.
SMS/Mail alert- This feature is optional but allows user to get informed about the
transaction being carried out through his account and can inform his respective institution
about transactions being carried out against his wish. The user is informed via SMS every
time a transaction is carried out from his account.

10.5. Cookies

Cookie is a small identifier file placed on a users computer by a website, which logs information
about the user and their previous/current visits for the use of the site next time the user makes
contact. The website owners claim that this is beneficial to the user, allowing faster access and
personalization of the site for that user.
One of the issues faced by Web site designers is maintaining a secure session with a client over
subsequent requests. Because HTTP is stateless, unless some kind of session token is passed back
and forth on every request, the server has no way to link together requests made by the same
person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a
cookie and read on every request. This simplifies Web page development because you do not have
to be concerned about passing this information back to the server. The primary use of cookies is to
store authentication and session information, your information, and your preferences. A secondary
and controversial usage of cookies is to track the activities of users.
Different types of cookies are:

Temporary cookies: These cookies are valid only for the lifetime of your current session, and
are deleted when you close your browser. These are usually the good type. They are mostly
used to keep your session information.
Permanent cookies: These are for a time period, specified by the site, on the shopper's
computer. They recall your previous session information.
Server-only cookies: These cookies are usually harmless, and are only used by the server
that issued them.
Third-party cookies: These are usually used for tracking purposes by a site other than the
one you are visiting. Your browser or a P3P policy can filter these cookies.

10.6. Antivirus and Anti-spam

These are software that is used for security against various viruses and Trojans. These are similar to
those used in web servers. But antivirus for a user protects his personal computer and is installed on
it. Regular updates are required to keep virus dictionaries up to date. Some of the anti viruses used
on personal computers are AVG, Norton Internet Security, Kaspersky, and Quick Heal etc.
AVG is one such anti-virus. Some of DETECTION METHODS provided in AVG are:-

AVG logo
Signature-based detection.
Polymorphic-based detection.
Heuristic-based analysis.
Behaviour-based analysis.

Anti-spam- Email spam which is also known as junk email, is identical message sent to numerous
recipients by email. Clicking on links in spam email may send users to phishing web sites or sites that
are hosting malware. Spam email may also include malware as scripts or other executable file
attachments. Definitions of spam usually include the aspects that email is unsolicited and sent in
bulk. To prevent email-spam, both end users and administrators of email systems use various anti-
spam techniques. Some of these techniques have been embedded in products, services and
software to ease the burden on users and administrators. No one technique is a complete solution
to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not
rejecting all spam, and the associated costs in time and effort.

Best Tips to Defend Yourself against Viruses and Worms

You must safeguard your PC. Following these basic rules will help you protect you and whenever you
go online.
Protect your computer with strong security software and keep it updated.
Use a security conscious Internet service provider (ISP) .
Enable automatic Windows updates.
Use great caution when opening any e-mail attachments.
Be careful when using P2P file sharing.
Use security precautions for your PDA, cell phone, and Wi-Fi devices.
Beware of spam-based phishing schemes. Dont click on links in emails or IM.
Back up your files regularly.
Stay aware of current virus news.

10.7. Anti-spyware

Spyware is software that installs itself on your computer, often as the trade-off for a piece of "free"
software. They are unwanted programs that exploit infected computers for commercial gain. They
can deliver unsolicited pop-up advertisements, steal personal information (including financial
information such as credit card numbers), monitor web-browsing activity for marketing purposes, or
route you to advertising websites. Spyware is software that transmits personal information to a third
party without the user's knowledge or consent. This can lead to your PC being compromised along
with your identity.
Anti-Spyware helps keep you safe from dangerous spyware that can lead to your computer being
compromised, along with your identity, and threaten the security of what you value. You need
spyware protection because spyware is created by hackers and cybercriminals and can be spread via
infected email attachments, shared files, or malicious websites. Good Anti-Spyware is effective at
both detecting and removing spyware if you're already infected. It should also detect and prevent
future spyware infections.

10.8. Personal firewalls

A Personal firewall is an application which controls network traffic to and from a computer,
permitting or denying communications based on a security policy. A personal firewall differs from a
conventional firewall in terms of scale. A personal firewall will usually protect only the computer on
which it is installed, as compared to a conventional firewall which is normally installed on a
designated interface between two or more networks, such as a router or proxy server. Hence,
personal firewalls allow a security policy to be defined for individual computers, whereas a
conventional firewall controls the policy between the networks that it connects.

The per-computer scope of personal firewalls is useful to protect machines that are moved across
different networks. For example, a laptop computer may be used on a trusted intranet at a
workplace where minimal protection is needed as a conventional firewall is already in place, and
services that require open ports such as file and printer sharing are useful. The same laptop could be
used at public Wi-Fi hotspots such as provided at cafs, airports or hotels, where more strict security
is required to protect from malicious activity. Many personal firewalls are able to control network
traffic by prompting the user each time an application attempts a connection and will adapt the
security policy accordingly. Personal firewalls may also provide some level of intrusion detection,
allowing the software to terminate or block connectivity where it suspects an intrusion is being
attempted.

Common personal firewall features:

Protects the user from unwanted incoming connection attempts

Alert the user about outgoing connection attempts
Allows the user to control which programs can and cannot access the local
network and/or Internet.
Hide the computer from port scans by not responding to unsolicited network traffic.
Monitor applications that are listening for incoming connections.
Monitor and regulate all incoming and outgoing Internet users.
Prevent unwanted network traffic from locally installed applications.
 Provide the user with information about an application that makes a connection attempt.
Provide information about the destination server with which an application is attempting to
communicate.

11.Flow chart of security Technologies

User or customer

USER INERACTION WITH TECHNOLOGIES

Necessary requirement to
carry out e-commerce and
Personal computer Visible to user
make sure that it is not used
by unauthorized person.

Necessary to save our personal

Virtual keyboard Visible to user details from hacker who steal
details by using Trojan virus to
record keystrokes.

Necessary to authenticate
himself by user login-ID, login-
Authentication
Visible to user password, and security
question and authenticate
merchant by pre-set image.

Necessary to Monitors
Ant-viruses and anti computer for virus and
spam Visible to user
junk-mails and remove
them as soon as possible.
 Necessary to Detect and
remove spyware-software,
Anti spyware Visible to user which continuously monitors
your browsing activity and
pass your personal details to
hacker without users
knowledge.

Necessary to store
Authentication and session
Cookies Not Visible to user
information. Hence user has
no need to authenticate
itself again and again.

Necessary to Restrict
Personal firewalls Not Visible to user access of
unauthorized person
to users computer

TECHNOLOGIES COMMON TO BOTH USER AND MERCHANT

Necessary to create a secure

connection between client and
Visible to user and
TLS/SSL Protocols server. And encrypt the data
merchant both.
using private and public key, so
the unauthorized person cant
read it.

Necessary to secure Internet

IPSec Protocols Not visible to user communications
and merchant. by authenticating and encrypt
ing each IP packet of a
communication session

Necessary to store users IP

address and generate a new
Proxy server Not visible to user
request so that the fake site
and merchant.
didnt steal user details
using IP
 Necessary to authenticate the
user by login-ID, login-
Authentication Visible to user and password, security question,
Merchants server transaction password and
authenticate merchant
himself by pre-set image.

Necessary to ensure that the

website should not be a
Visible to user and shown
Digital certificates phishing website so that
by only genuine site
users entered details will not
be misused.

Necessary for merchant to

preserve the proof of
transaction so that the
Non-repudiation Visible to user and customer cant deny that
merchant both deal in future and this is
achieved by Digital signatures
and time-stamps.

Necessary to restrict illegal

Firewalls Not visible to entry of users and this is
Merchants server achieved by techniques like
packet-filter and application
gateway.

Necessary to secure from

Anti-viruses and internet attacks. It
Visible to server
an anti-spam regularly monitors the
server and provides
internet security.

Necessary to establish a
secure connection between
Public key infra- Not visible to
two genuine sites by
structure merchant and user
knowing their privates and
personal keys
 MERCHANT INERACTION WITH TECHNOLOGIES

Merchant or sever

12.SUMMARY OF TECHNOLOGIES EMPLOYED BY BOTH USER AND

MERCHANT IN TABULAR FORM

SECURITY ITEM CUSTOMER MERCHANT COMMON VISIBILITY IMPACT NATURE TRUST

Authentication Visible to Secure users Proactive Increases

both account from Trust on
unauthorized both sides
access and user
itself from fake
site.
Firewalls Not visible Restrict access to Proactive Increases
to both unauthorized data, Trust of
user and website. both to
browsing
Internet
Digital Certificate ...... No Visible to Assure user that Proactive Increases
user website visited by users
him is not a Trust on
Phishing website. Merchant
SSL Visible to Both get assured Proactive Trust
both that information increases
will never be on each
sniffed on the other
network because it
is in Encrypted
form.
IPSec Not visible Give Assurance of Proactive Trust
to both a secure increases
connection on each
between user and others
Merchant
Non-repudiation ...... No May or may Merchant get a Proactive Trust of
not be proof of users as well as merchant
visible to Transaction so the reactive increases
user user can never on user
deny for this in
future
IP-address ...... No Visible to Fake user may not Reactive Trust of
capture user make attempt to user
gain access on increases
 others behalf so on
This may lead to merchant
Decrease in fraud
Time-stamps ...... No Not visible Access time is Reactive Trust of
to user recorded and help user
in detecting fraud increases
on
merchant
Investigating ...... No Not visible Methods or ways Reactive Trust of
procedure to user to detect fraud both sides
increases
Anti-virus suite Not visible Keep user and Proactive Increases
to each- merchant from free trust on
other but from virus attacks. both side
visible to
their own-
self.

13. Study of Comparison of E-Commerce setup of AIR INDIA and British

Airways
AIR INDIA is a government run airlines and has its own webpage at www.airindia.com. AIR INDIA
presents its e-commerce portal at its webpage for online bookings and payments. We will now study
AIR INDIAs E-Commerce portal from security and consumer friendlys perspective.

Let us first list details to which a first time user will directly refer to:-

Customer friendly interface- If a user doesnt find the webpage good and interactive, it is
unlikely that he will proceed further. A good website should clearly present all the
information required by the user which also helps in building user trust by clearing all his
doubts about the website. Hence, chances are increased when users are provided with all
the relevant information.

Websites digital certification logo- In todays world of internet many websites are added
daily. Many times hackers create fake websites similar to original ones so that users are
tricked. Hence, to differentiate between these digital certificates are used. So, a user can
know about the authenticity about the website by looking at digital certificates. A digitally
certified website will have a digital certificate logo on its website and users can check for
these.

Address Bar for any encryption currently being employed during communication - Another
feature that a user can look to is encryption. It can be visually seen that if a website is
interacting using encryption we can notice the following change:

Before Encryption: http://www.google.com

After Encryption: https://www.google.com

Green colour with additional s with http confirms encryption. If there is encryption currently being
used one can be assured that hackers cant know conversation between user and website.
Some basic issues on behalf of which comparison between Air India and British airways is
carried out:

Trust visibility and response time.

Content Management.
E-commerce Platform.
Privacy policy.
Security features.

12.1. Trust visibility and response Time

For Air India

Views: The first thing that a user might look for is the authentication of the website. No Digital
Certificate logo has been put up by the company which can be used for checking the authenticity of
the website. This can create doubts in mind of a new user.
Next point that a user will observe is the response time of the website. The Response Time of the Air
India website is good. A user doesnt need to wait for loading of webpage and can browse website
without any delay.

My ratings for visible Trust- POOR

My ratings for Response Time- VERY GOOD

For British airways

Views: British Airways have also not put any digital certificate on their webpage. However, the front
page has been designed such that a user might still get convinced about the authenticity of the
webpage. The Response Time for the website is also good.

My ratings for visible Trust- GOOD

 My ratings for Response Time- VERY GOOD

12.2. Content Management

For Air India

Positive aspects:

Booking portal provided by the company is easier to use. It is also easier to browse through
the website.
FAQs can help a user clear much of his doubts. They have been put up in a good manner
with an additional option of viewing it in Hindi.
The good thing is that the company mentions its contact numbers and address of its offices
with their respective contact details at various places in India. For e.g.- companys office at
Delhi is at Air India Limited Reservations, Safdarjung Airport, Aurobindo Marg, New Delhi -
110003. del.reservationmanager@airindia.in Telephone- 011 24622220, Fax-011 24653682.
The booking process is also good as only required information is shown to user. The user is
provided with options such as currency converter and breakdown of taxes for providing
consumer satisfaction.
User is also provided with options such as New Search so that a user can start a fresh
booking if he is not satisfied with current travel search.
Assistance is given to user while entering details such as name.
It gives user an option for having booking information being sent to users mobile (only to
Indian users).

Negative aspects:

Surfing can be made clearer by proper positioning of various offers provided to customer.
The various options put up look clumsy as they have been put together without much
differentiation among them and hence making it difficult for each option to grab users
attention at first sight.
The booking portal should be made a bit different, thus making it catchier so that it gets
primary notice of user. It looks just mixed between various options. The website can be
presented in a much interactive manner having flash messages, good graphic images and
displaying various offers clearly.
Frequent Flyer option can be made small.
General terms and conditions for online booking have been put up in a dull manner without
any proper manner without any proper format. One will have to browse through entire PDF
for information regarding ticket cancellations and refunds etc.
Fare chart put up by the company cannot be understood by users as it uses various codes to
define various terms etc. Also, various options like hotel booking and car rental service leave
a bad impression as a warning from Air India is issued to user trying to access these options.
It also shows poor relation between Air India and its partners.
The company has not put its privacy policy on its front page.

My ratings for content management for Air India- GOOD

For British Airways-

Positive aspects:

The booking portal for the airways has been clearly put and is distinct from other options.
Various offers have been put in excellent manner and are capable of drawing users
attention at first sight.
One can easily access option for help and contacts.
One can easily get information regarding refund of tickets, complaints and contact numbers
for the airlines.
The company has provided a wide range of FAQs with a search engine for customers
assistance.
The company has clearly mentioned its general terms and condition and its privacy policy
under the legal heading.

Negative aspects:
 The webpage of the website is a bit long in length and some users may not like to scroll
down till the end for various offers.
The response time for website increases when a user tries to access airlines partners such
as hotels and car rental services. Sometimes, users can also experience delay while accessing
general terms and conditions.
The company has not provided any fare chart. So, a user will have to go through booking
procedure for knowing the fare.

My ratings for content management for British Airways- VERY GOOD

12.3. E-Commerce platform and Refund Policy

For Air India

A merchant may offer various payment options to the customers and users can choose payment
mode according to their wish. Current payment options for Air India include card payments and bank
transfers. One can make payments through cards issued by VISA, MASTERCARD and AMERICAN
EXPRESS only.

If a user chooses a Credit Card payment option, he will be asked to fill details of card and
proceed with the payment.
As of now, Air India accepts debit cards with payment gateway as Bank of India, Indian
Overseas Bank, and State Bank of India, Union Bank of India and Punjab National bank only.
If we proceed with debit card payment, the company issues a notice that Payment will be
taken remotely and will be directly directed towards the payment gateway of the respective
bank. Users will be charged with fees set by the respective payment gateway which is being
used. For e.g. Indian Overseas Bank charges Rs. 10 per transaction.
Hence, users are given flexibility of choosing payment gateway with respective fees being charged
which is a good move as it makes it transparent that the company is not charging any extra charge
for the given transaction.
Also, a good thing that company does is that it offers users with taxes and charges separately as
shown below,
Refund Policy- the Company does not clearly states its Refund policy while making bookings. A user
will have to browse through FAQs specified by the company. One can get information about
procedures for making a refund for both domestic and international bookings.

For time to get refund as stated by company is In normal circumstances a refund is processed
almost immediately. However, in case of a credit card bank transfer, it takes a minimum of twenty
days and in case of a lost ticket, it takes a minimum of six months as the mandatory cooling period
needs to be met with and the documents are processed by our Central accounts office.

However, the company does not state fees charged for making a refund.

My ratings for e-commerce platform of Air India- VERY GOOD

For British Airways-

Currently, British Airways accepts card payment of following types-
VISA
MASTERCARD
Diners Club
American Express
AirPlus /UATP
Users are given options to select the type of card with which user is willing to make payments. After
selecting card type, users are asked to enter card details. At the point of making payment, fees
charged for using cards is not specified and thus a user cannot know about fees charged.
The airline just Mention that- Selecting 'Make booking' will confirm your purchase and charge your
payment card.

Refund Policy- the company clearly mentions it refund policy in its Help and Contacts option. One
can get complete information regarding refunds. While entering card details for payments the
company also gives a message regarding times when information entered by the user is not correct
and the user has paid money. One can check for this by viewing following message by the airline.

For Refund or Cancellation charge, the airline mentions this under Fare Conditions while displaying
the desired flight details as shown below,
 My ratings for e-commerce platform of British Airways- GOOD

12.4. Privacy Policy

For Air India
The privacy policy of the airline has not been put on the front page. Instead, a can find privacy policy
while booking a flight through online booking. The privacy policy given by the company is in Hindi
and needs to be translated if one does not Hindi too well. The privacy policy says nothing about the
confidentiality of users details. Instead it only talks about situations where Air Indias e-commerce
platform provider will not be held for errors in detail and for content on Air Indias website. This
leaves a bad impression on the user. Following is the screenshot of the privacy policy put up by Air
India.

However, in general Terms and Conditions Company also states that it shall not disclose any
information to any third party and users personal information shall be protected.
Following is a screen shot of this-
 My ratings for privacy policy of Air India-AVERAGE

For British Airways

The privacy policy of British Airways is very clear. It answers all questions such as how users data is
collected and websites use to user and how the user data is used by the company. It also displays
answers for questions such as through what countries users data will pass through and to whom
this booking data can be disclosed. Following is the screen shot of the privacy policy of the airline-

Hence, user can get his doubts get cleared before proceeding.
A user can also see a brief privacy policy while making the payments for a given transaction.
Following is the screenshot of it-
 My rating for Privacy Policy of British Airways-VERY GOOD

12.5. Security features

For Air India

These features help to build on the user trust on the merchant. These give an assurance of safe and
guaranteed transaction to the user. Some of these also help in establishing the authentication of the
website. Some of these are
The company has not put any digital certificate logo on its front page. This may create
doubts in minds of user that whether the site he is currently browsing is valid or not. Also,
one can also see that there is no encryption used while user is on the front page.
We can see the screen shot of Air Indias front page as follows-
 However, encryption can be seen as one proceeds with online booking. His information can
only be seen by clicking at the lock at address bar.
This assures user of safety of his personal data. This is the only visible security that one can
look for.
One can also look for various standards which company follows. These can be used for
further increasing user trust. However, Air India does not state any such standards on its
website.
Also, while making payments by credit card no visible certificate regarding safety of
transaction can be seen.
However, while using debit card one can see certification logos of VeriSign etc. at the
respective payment gateway he is currently using.
After clicking lock at the address bar while accessing Air India, one can see following messages while
online booking-

Identity of website verified by VeriSign class 3 International Server CA-G3.

Connection encrypted in 128 bit encryption.
Uses TLS encryption.
The screen shot of this is shown below-

While making bookings, users are provided with session time of 20 minutes. Users may or
may not be informed about it. If the terminal used by user remains ideal for more than 20
minutes, the server automatically cancel the current transaction of the user and directs him
to start again for security purposes.
If a user wishes to come back from a payment gateway while making payments, he will have
to start by opening of web browser again as payment gateways are operated by third
parties. This is good and increases security features.

My rating for security on Air Indias website- VERY GOOD

 For British Airways
The company has not put any digital certificate on its front page. Also, no encryption is employed
while communicating on its front page.
But, one can see a lock on the address bar once the user starts with booking. Following message can
be seen after clicking the lock-
Verified by Global Sign Extended Validation CA-G2. Address of Headquarters of the
company is also given here.
128 bit encryption.
Uses TLS 1.0
Following is the screen shot of the above information-
British Airways also gives certain time for making a given transaction. If the user remains ideal for a
particular screen, the server will automatically cancel users current transaction and direct him to
start again for security purposes. However, users are not informed about it. Following is the screen
shot of this-

One can also see MasterCard etc. security logos while making card payments for the given
transaction. These are the visible trust used by British Airways to enhance user trust so that users
can proceed without any doubt. Following is the screen shot of the various logos put up by the
British Airways.
 My ratings for Security of webpage of British Airways-VERY GOOD

13.Comparison between airindia.com and britishairways.com in

Tabular Form
 FEATURE AIR INDIA
Courtesy
(docs.ispconfig.org) (Courtesy onionlive.com)
VISIBLE TRUST POOR
( NO DIGITAL CERTIFICATE LOGO WITH POOR
WEBSITE PRESENTATION)
COMPANY SHOULD BE LOOKING TO PUT UP
ITS DIGITAL CERTIFICATE ON ITS FRONT
PAGE
RESPONSE TIME VERY GOOD
(THERE WERE NO DELAYS WHILE LOADING
WEBPAGES OF AIRINDIA.COM)
PRESENTATION OF AVERAGE
WEBSITE (THE BOOKING PORTAL SHOULD BE CLEARLY
HIGHLIGHTED WITH OTHER OPTIONS MADE
DISTINCT WITH EACH OTHER. VARIOUS PICS
AND FLASH PLAYER VIDEOS CAN BE USED)
BOOKING PORTAL CAN BE HIGHLIGHTED &
INTERACTIVE IMAGES AND FLASH
MESSAGES CAN BE PUT UP
CONTENT AVERAGE
MANAGEMENT (COMPANY PROVIDES USER WITH ITS
CONATCT DETAILS. EASY TO ACCESS
VARIOUS OFFERS. ONE CAN ALSO SEE TERMS
AND CONDITIONS AT LOWER END OF
WEBPAGE. FAQS ALSO HELP IN A NICE
MANNER)
INFORMATION REGARDING VARIOUS
TOPICS CAN BE PRESENTED IN AN
INTERACTIVE MANNER
E-COMMERCE VERY GOOD
PLATFORM (COMPANY IS TRANSPARENT IN CHARGING
FEES FOR BOOKING THROUGH CARDS AND
HAS A SECURED PAYMENT MODE)
COMPANY CAN ALSO LOOK FOR EMI PAYMENTS
BY AGREEING WITH VARIOUS BANKS
SECURITY VERY GOOD
(SECURITY OFFERED IN VERY GOOD. APART
FROM ENCRYPTION AND DIGITAL
CERTIFICATES, USERS ARE ALLOWED WITH
SESSIONS FOR BOOKING.ALSO, ONE HAS TO
START FROM FRESH IF HE WISHES TO COME
BACK FROM A PAYMENT GATEWAY)
REFUND POLICY VERY GOOD
(ASSURES CUSTOMER OF IMMEDIATE
PAYMENTS. ONE CAN GO THROUGH FAQS
STATED FOR GETTING COMPLETE
INFORMATION REGARDING THIS. VARIOUS
BRITISH AIRWAYS
(Courtesy competetionrx.com)
AVERAGE
( NO DIGITAL CERTIFICATE LOGO WITH GOOD
WEBSITE PRESENTATION)
VERY GOOD
(ONE WILL GET VERY GOOD BROWSING SPEED
WITHOUT ANY DELAYS)
VERY GOOD
(THE BOOKING PORTAL CAN BE SEEN AS ONE
OPENS THE WEBPAGE OF AIRLINES. GOOD
INTERACTIVE IMAGES WITH WELL DEFINED
OPTIONS MAKES THE BROWSING EXPERIENCE
GOOD)
VERY GOOD
(THE INFORMATION IS EASY TO ACCESS AND
ONE CAN EASILY SEE HELP AND CONTACTS
THAT ARE WELL DEFINED. CAN EASILY
INFORMATION REGARDING REFUNDS,
TRANSACTION BOUNCE ETC. FAQS ALSO HELP A
LOT)
AVERAGE
(OFFERS CARD PAYMENTS OF VARIOUS CARD
TYPES AND A SECURED BOOKING PORTAL.
HOWEVER, COMPANY DOES NOT STATE FEES
CHARGED FOR PAYMENT THROUGH CARDS)
VERY GOOD
(HAS EXCELLENT SECURITY FEATURES. ONE CAN
SEE ENCRYPTION AND DIGITAL CERTIFICATES
AND MASTER CODE AND VISA SECURECODE
WHILE MAKING CARD PAYMENT. USERS ARE
PROVIDED SESSIONS FOR BOOKING)
VERY GOOD
(ONE CAN GET INFORMATION REGARDING THIS
IN VARIOUS FAQS SEARCH ENGINE. CONTACT
NUMBERS ARE ALSO GIVEN)
 CONTACT NUMBERS ARE ALSO GIVEN)

PRIVACY POLICY AVERAGE VERY GOOD

(ASSURANCE IS GIVEN THAT USERS (USER CAN GET ALL HIS ANSWERS THAT WHY
PERSONAL INFORMATION SHALL NOT BE PERSONAL DATA IS COLLECTED, HOW IT IS
DISCLOSED TO ANY THIRD PARTY) USED, DATA SHALL NOT DISCLOSE TO ANY
THIRD PARTY ETC.)

14.E-commerce status of some other websites

14.1. GOINDIGO.com
The screenshot of front page of goindia.com can be seen as-

The company does not have an impressive front page. The various offers put up are placed
in a simple manner but are filled with very bright colours and may not be liked by many
customers.
The booking portal is not properly highlighted and is mixed between various options.
There are no interactive pictures and flash messages put up on the front page.
The airline has not put up any digital certificate logo which can prove authenticity of the
website.
 The company has an excellent e-commerce platform. The company accepts MASTERCARD,
VISA and AMERICAN EXPRESS cards for payment. It also accepts debit card of selected banks.
Apart from these the airline offers NET BANKING facility and EMI facility for CITI BANK and
HDFC Banks.
Disclaimer and privacy policy of the airline can be viewed from front page. One can get much
information regarding his doubts from these.
A TOLL free number with certain e-mails have been put up by the company for contact by
users.
Encryption is used as a security procedure. One can also see MASTERCARD SECURECODE and
VERIFIED BY VISA logos while making card payments. Also, airline uses a proactive security
measure as it clearly states that users for security measures users IP address with the airline
is ****. This has been highlighted in the following screenshot-

MY RATINGS FOR GOINDIGO.COM- AVERAGE

14.2. MAKEMYTRIP.COM

Makemytrip.com is a holiday packages, flight, and rail etc e-commerce portal.

The website has not an excellent presentation but various offers and options are easy to
browse through and use. One can see various options for flight booking and rail booking etc
very easily.
The website builds an immediate trust in users mind as one can go through various
authentication logos like Trustwave, VeriSign etc. One can click on these for obtaining more
information regarding respective logo. The Trustwave logos screenshot can be seen above.
Content management of the website is very good but users may face delays while browsing
through the website.
 Booking portal is very good. For e.g. - for flight bookings, users are provided with all possible
fares by various airlines and choose according to their wish. At, the same time lowest
possible shares are shown to the user.
One can also have a look for lowest possible fares for flights using their given calendar. One
can even see lowest possible shares for a month from now and decide his flight accordingly.
The company offers various payment modes such as Credit Cards, Debit cards, Net Banking
and Cash Cards and are secured.
The company clearly states its refund policies and privacy policies clearly and can be seen at
the front page.
Contact numbers for various transport modes etc. are mentioned under contact us option.

The screenshot of Digital Certificate by Norton Secured VeriSign is shown as below-

MY RATINGS FOR MAKEMYTRIP.COM- VERY GOOD

15.Glossary of security Terms

Access control: Access control refers to the rules and deployment mechanisms which control access
to information systems, and physical access to premises.
Anti-virus program: Software designed to detect, and potentially eliminate, viruses before they have
had a chance to wreak havoc within the system, as well as repairing or quarantining files which have
already been infected by virus activity.
Authentication: This refers to the verification of the authenticity of either a person or of data.
Authorization: The process whereby a person approves a specific event or action.
Availability: Ensuring that information systems and necessary data are available for use when they
are needed.
Biometric access controls: Security access control systems which authenticate (verify the identity of)
users by means of physical characteristics, e.g. face, fingerprints, voice or retinal pattern.
Buffer overflow attacks: This is type of DoS attack whereby data are sent to the server at a rate and
volume that exceeds the capacity of the system, causing errors.
Bug: A fault in computer systems usually associated with software.
Business continuity plan (BCP): This is a plan to ensure that the essential business functions of the
organization are able to continue (or re-start) in the event of unforeseen circumstances; normally a
disaster of some sort.
Certification authority: A trusted third party clearing house that issues digital certificates and digital
signatures. Such certificates include an organizations name, a serial number, and an expiry date. In
addition, to allow for the encryption and decryption of data, the public key of the organization is also
included. Finally, the digital signature of the certificate-issuing authority is included so that a
recipient can verify that the certificate is valid. The following companies provide various levels of
certification services for organizations and individuals like VeriSign, Entrust, and Baltimore
Technologies etc.
Cipher: A cipher is the generic term used to describe a means of encrypting data. In addition, the
term cipher can refer to the encrypted text itself.
Computer viruses: These are pieces of programming code which have been purposely written to
inflict an unexpected result upon some other program. There are now approximately 50,000 viruses
and their variants for which known cures of vaccines are available. Viruses are transmitted within
other (seemingly) legitimate files or programs, the opening or execution of which causes the virus to
run and to replicate itself within a computer system, as well as performing some sort of detrimental
action.
Confidentiality: Assurance that information is shared only among authorized persons or
organizations. Breaches of confidentiality can occur when data are not handled in a manner
adequate to safeguard the confidentiality of the information concerned.
Controls: Procedures that can reduce, or eliminate, the risk of a threat becoming an incident.
Cookie: A small identifier file placed on a users computer by a website, which logs information
about the user and their previous/current visits for the use of the site next time the user makes
contact. The website owners claim that this is beneficial to the user, allowing faster access and
personalization of the site for that user.
Cracker: This is either a piece of software (program) whose purpose is to crack the code to, say a
password, or refers to a person who attempts to gain unauthorised access to a computer system.
Cryptography: The subject of cryptography is primarily concerned with maintaining the privacy of
communications.
Data/information: In the area of information security, data (and the individual elements that
comprise the data) when processed, formatted and re-presented, gains meaning and thereby
become information.
Decryption: The process by which encrypted data is restored to its original form in order to be
understood/usable by another computer or person.
Denial of service: Denial of service (DoS) is an action against a service provider over the internet
whereby a client is denied the level of service expected. DoS attacks do not usually have theft or
corruption of data as their primary motive.
Digital certificate: A digital certificate is the electronic version of an ID card that establishes a
persons credentials and authenticates a connection when performing e-commerce transactions
over the internet, using the web.
Digital signature: A digital signature is an electronic equivalent of an individuals signature. It
authenticates the message to which it is attached and validates the authenticity of the sender. In
addition, it also provides confirmation that the contents of the message to which it is attached, have
not been tampered with, en route from the sender to the receiver.
E-Commerce: e-commerce, e-business or e-tailing are electronic transactions, performed over the
internet and usually via the web - in which the parties to the transaction agree, confirm and
initiate both payment and goods transfer.
Encryption: The process by which data are temporarily re-arranged into an unreadable or
unintelligible form for confidentiality, transmission, or other security purposes.
E-Trading: e-Trading is that part of e-commerce which specializes in financial services. It deals in
corporate paper (e.g. stocks and shares), purchase of commodities, currencies etc. It can be
business-to-consumer or business-to-business.
Firewalls: Firewalls are security devices used to restrict access between two communication
networks.
Hacker: An individual whose primary aim is to penetrate the security defences of large,
sophisticated, computer systems.
HTTP: This protocol, the Hyper Text Transfer Protocol, is used for the transmission of information,
graphics, sounds and animation between a client web browser and the web-server.
HTTPS and SSL: The Secure Hyper Text Transfer Protocol uses HTTP but additionally activates web-
server security, in the form of Secure Sockets Layer (SSL). This means that the communications
between the client and the (host) web-server are encrypted and, additionally, that the host web-
server may be validated by the client using a digital certificate on the server.
Information asset: An information asset is a definable piece of information, stored in any manner
which is recognized as valuable to the organization.
Integrity: Assurance that the information is authentic and complete. Ensuring that information can
be relied upon to be sufficiently accurate for its purpose.
International organization for standardization (ISO): This is a group of bodies from approximately
130 countries whose aim is to establish, promote and manage standards to facilitate the
international exchange of goods and services.
Internet: A publicly accessible wide area network that can be employed for communication between
computers.
Internet service provider (ISP): An internet service provider commonly referred to as an ISP is a
company which provides individuals and organizations with access to the internet, plus a range of
standard services such as e-mail and the hosting (running) of personal and corporate websites.
Intranet: A local area network within an organization, which is designed to look like, and work in the
same way as, the internet. Intranets are essentially private networks, and are not accessible to the
public.
Intrusion: An uninvited entry into a system by an unauthorized source.
Logic bomb: A logic bomb is a piece of program code buried within another program, designed to
perform some malicious act.
Malicious code: Malicious code includes all and any programs (including macros and scripts) which
are deliberately coded in order to cause an unexpected (and usually, unwanted) event on a
computer system.
Non-repudiation: It ensures that neither the sender nor the receivers of a message are able to deny
the transmission.
PKI: Public key infrastructure (PKI) is the use and management of cryptographic keys a public key
and a private key for the secure transmission and authentication of data across public networks.
Policy: A policy may be defined as An agreed approach in theoretical form, which has been agreed
to/ratified by a governing body, and which defines direction and degrees of freedom for action. In
other words, a policy is the stated views of the senior management (or Board of Directors) on a
given subject.
Protocol: A set of formal rules describing how to transmit data, especially across a network.

Ping attack: This is where an illegitimate attention request or Ping is sent to a system, with the
return address being that of the target host (to be attacked). The intermediate system responds to
the ping request but responds to the unsuspecting victim system. If the receipt of such responses
becomes excessive, the target system will be unable to distinguish between legitimate and
illegitimate traffic.

Security for electronic transactions (SET): SET was originally supported by companies such as
MasterCard, VISA, Microsoft and Netscape and provides a means for enabling secure transactions
between purchaser, merchant (vendor) and bank.
Smart card: Smart cards look and feel like, credit cards, but have one important difference, they
have a programmable micro-chip embedded. Their uses are extremely varied but, for information
security, they are often used not only to authenticate the holder but also to present the range of
functions associated with that users profile.
Sniffers: A sniffer is a program which captures and analyses packets of data as it passes across a
network. Such programs are used by network administrators who wish to analyse loading across
network segments, especially where they suspect that spurious packets are bleeding from one
network to another.
Social engineering: Social engineering is a means by which information is extracted, usually verbally,
by someone impersonating a legitimate holder or user of the information in question.
Spam: Electronic equivalent of junk mail.
Spoofing: Alternative term for identity hacking and masquerading.
Threat: A threat is anything that can disrupt the operation, functioning, integrity, or availability of a
network or system.
Time-bomb: As the name suggests, a piece of hidden program code designed to run at some time in
the future, causing damage to, or loss of, the computer system.
Trojan horse: A Trojan horse is a malicious, security-breaking program that is disguised as something
benign, such as a directory lister, archiver, game. A Trojan is a type of virus that normally requires a
user to perform some action before the payload can be activated.
Virtual private network (VPN): A virtual private network emulates a private network over a public
network infrastructure, using specialist hardware and software.
Virus: A virus is a form of malicious code and as such is potentially disruptive. It may also be
transferred unknowingly from one computer to another.
Vulnerability: Vulnerability is an inherent weakness in the design, configuration, or implementation
of a network or system that renders it susceptible to a threat.
Worm: A worm is a malicious program that propagates itself over a network, reproducing itself as it
goes.