You are on page 1of 10

eCommerce  and  Security  Issues  

Overview   This  is  not  a  comprehensive  discussion   Idea  is  to  make  you  aware  about  ecommerce  and  issues  related  to  it       History  of  eCommerce  (Source:  Wikipedia.com)   • The  meaning  of  electronic  commerce  has  changed  over  the  last  30  years.     • Originally,   electronic   commerce   meant   the   facilitation   of   commercial   transactions   electronically,  using  technology  such  as  EDI  and  EFT.  These  were  both  introduced  in  the  late   1970s,   allowing   businesses   to   send   commercial   documents   like   purchase   orders   or   invoices   electronically.     • The  growth  and  acceptance  of  credit  cards,  automated  teller  machines  (ATM)  and  telephone   banking  in  the  1980s  were  also  forms  of  electronic  commerce.     • Another  form  of  e-­‐commerce  was  the  airline  reservation  system  typified  by  Sabre  in  the  USA   and  Travicom  in  the  UK.     • Online  shopping  was  invented  in  the  UK  in  1979  by  Michael  Aldrich     • During   the   1980s   it   was   used   extensively   particularly   by   auto   manufacturers   such   as   Ford,   Peugeot-­‐Talbot,  General  Motors  and  Nissan.     • From  the  1990s  onwards,  electronic  commerce  would  additionally  include  enterprise  resource   planning  systems  (ERP),  data  mining  and  data  warehousing.   • Although   the   Internet   became   popular   worldwide   in   1994,   it   took   about   five   years   to   introduce  security  protocols  and  DSL  allowing  continual  connection  to  the  Internet.     • By  the  end  of  2000,  a  lot  of  European  and  American  business  companies  offered  their  services   through   the   World   Wide   Web.   Since   then   people   began   to   associate   a   word   "ecommerce"   with  the  ability  of  purchasing  various  goods  through  the  Internet  using  secure  protocols  and   electronic  payment  services.   • India  started  using  eCommerce  roughly  by  2002  onwards.     eCommerce:   • Electronic  commerce,  commonly  known  as  e-­‐commerce  or  eCommerce,  consists  of  the  buying   and   selling   of   products   or   services   over   electronic   systems   such   as   the   Internet   and   other   computer  networks.     • Modern  electronic  commerce  typically  uses  the  World  Wide  Web  at  least  at  some  point  in  the   transaction's  lifecycle,  although  it  can  encompass  a  wider  range  of  technologies  such  as  e-­‐mail   as  well.     • Electronic   commerce   is   generally   considered   to   be   the   sales   aspect   of   e-­‐business.   It   also   consists   of   the   exchange   of   data   to   facilitate   the   financing   and   payment   aspects   of   the   business  transactions.   • Thus,  eCommerce  is  the  process  of  buying  and  selling  or  exchanging  of  products,  services;  and   information  via  computer  networks  including  the  Internet.   • Electronic   commerce   that   is   conducted   between   businesses   is   referred   to   as   business-­‐to-­‐ business   or   B2B.   B2B   can   be   open   to   all   interested   parties   (e.g.   commodity   exchange)   or   limited  to  specific,  pre-­‐qualified  participants  (private  electronic  market).   • Electronic   commerce   that   is   conducted   between   businesses   and   consumers,   on   the   other   hand,  is  referred  to  as  business-­‐to-­‐consumer  or  B2C.  This  is  the  type  of  electronic  commerce   conducted  by  companies  such  as  Amazon.com.      
For  Educational  Purpose  only.                                                                                                                            ©Vicky  D.  Shah                                                                                                                        Page  1  of  10    

  derivatives.                                                                                                                            ©Vicky  D.   etc…   or   to   transfer   funds   between   financial   institutions.eCommerce  and  Security  Issues   eCommerce  Perspective:   • From   a   communications   perspective.   it   is   a   tool   that   addresses   the   desire   of   firms.  or  any  other  electronic  means.   products/services.”   • Only   when   there   is   an   error.   • From   a   service   perspective.   or   authorize   a   financial   institution  to  debit  or  credit  an  account.  Shah                                                                                                                        Page  2  of  10     .   • It   is   defined   as   electronic   transfer   from   one   computer   to   another   of   computer   proccesable   data  using  an  agreed  standard  to  structure  the  data.  where  a  cardholder  makes  use  of  a  payment  card      Direct   deposit   payroll   payments   for   a   business   to   its   employees.   telephonic   instrument.   currency   markets.   instruct.  possibly  in  a  private  currency      Wire  transfer  via  an  international  banking  network  (generally  carries  a  higher  fee)       Payment  System   • A   payment   system   is   a   system   (including   physical   or   electronic   infrastructure   and   associated   procedures   and   protocols)   used   to   settle   financial   transactions   in   market   (bond   markets.     Electronic  data  Interchange  -­‐  EDI     • Developed  in  early  60’s  as  means  of  accelerating  the  movement  of  documents  pertaining  to   shipments  and  transportation.   or   computer   or   magnetic   tape   so   as   to   order.     Electronic  Funds  Transfer  –  EFT   • It   is   defined   as   any   transfer   of   funds   initiated   through   an   electronic   terminal.   or   for   quality   review.   possibly   via   a   payroll   services  company      Direct  debit  payments  from  customer  to  business.G:  Payment  Gateway   – PayPal   – PaisePay   – CC  Avenue       For  Educational  Purpose  only.     • The  term  is  used  for  a  number  of  different  concepts:    Cardholder-­‐initiated  transactions.   and   management   to   cut   service   costs   while   improving   the   quality   of   goods   and   increasing   the   speed  of  service  delivery.   it   is   the   application   of   technology   to-­‐ward   the   automation  of  business  transactions  and  work  flow.  where  the  transaction  is  initiated  by  the   business  with  customer  permission      Electronic  bill  payment  in  online  banking.   • From   a   business   process   perspective.   consumers.   it   is   the   delivery   of   information.   futures.   • The   National   Institute   of   Standards   and   Technology   in   a   1996   publication   defines   Electronic   Data   Interchange   as   "the   computer-­‐to-­‐computer   interchange   of   strictly   formatted   messages   that  represent  documents  other  than  monetary  instruments.   or   payments  over  telephone  lines.   • From   an   online   perspective.     • E.  which  may  be  delivered  by  EFT  or  paper  check      Transactions  involving  stored  value  of  electronic  money.  computer  networks.   it   provides   the   capability   of   buying   and   selling   products   and   information  on  the  Internet  and  other  online  services.   and   for   special   situations   human   intervention  is  allowed.

  • E.   suppliers   and   strategic   partners.     • Intranets   and   extranets   are   communication   tools   designed   to   enable   easy   information   sharing   within  workgroups.   customers.     Value  Chain  in  eCommerce     • Primary  Activities   – Identifying  Customers   – Design   – Purchase  Material  &  Supply   – Manufacturing   – Market  &  Sell   – Delivery  of  Products   – Providing  after  sale  service  and  support     • Supporting  Activities   – Finance  &  Administration   – Human  Resource   – Developing  Technology     Elements  Responsible  -­‐  Success  of  eCommerce    Finance    Technology    Team    Back-­‐office    Strategic  alliances    Initial  marketing  efforts    Competition    Target  audience    Transaction  Security      Network  Security    Reliability    Speed      Brand  Awareness    Traffic  Volumes    Community  Building  and      Stickiness       For  Educational  Purpose  only.   An   extranet   is   one   way   in   which   a   firm   can   improve  their  offering  and  remain  competitive.  Shah                                                                                                                        Page  3  of  10     .   • E.  but  an  intranet  is   still  seen  primarily  as  a  corporate  productivity  tool.  G  Intranet:  Many  schools  and  non-­‐profit  groups  have  deployed  intranets.G   Extranet:   Allowing   controlled   access   to   an   otherwise   private   company   network   enables   business-­‐to-­‐business  transactions  and  file  sharing.eCommerce  and  Security  Issues   Intranet  and  Extranet   • An   "intranet"   is   the   generic   term   for   a   collection   of   private   computer   networks   within   an   organization.   which   may   include   personnel.                                                                                                                            ©Vicky  D.     • “Extranets”   are   extended   intranets   connecting   organizations.

                                                                                                                           ©Vicky  D.  etc…   • Advertising  Revenue  Model   -­‐  Google  search  engine.eCommerce  and  Security  Issues   eCommerce  Business  Model      Business  Model  -­‐  Type  of  Transaction    Business  to  Business  -­‐  B2B    Business  to  Consumer  -­‐  B2C    Consumer  to  Consumer  -­‐  C2C    Business  to  Anyone  -­‐  B2A      Business  Model  –  Type  of  Operation   Model  1.  etc…                   For  Educational  Purpose  only.  Shah                                                                                                                        Page  4  of  10     Model  A     Online     Online     Online     Online     Model  B     Online     Online     Offline     Online     Model  C     Online     Online     Offline     Offline     .  etc…   • Commission  Model   -­‐  eBay.  2  and  3  under  following  categories   1)  Product  Information   2)  Order  Registration   3)  Order  Execution   4)  Payment  Collection     Operations     1)  Product  Information     2)  Order  Registration     3)  Order  Execution     4)  Payment  Collection        Business  Model  –  Type  of  connectivity    Using  EDI  Connectivity   -­‐ Governments    Using  VPN  Connectivity   -­‐ Private  companies    Using  Internet  Connectivity   -­‐ For  end  users      Business  Model  –  Revenue   • Subscription  Revenue  Model   -­‐  Hosting  services.

                                                                                                                           ©Vicky  D.  Shah                                                                                                                        Page  5  of  10     .eCommerce  and  Security  Issues   Application  of  eCommerce    Email      Enterprise  content  management      Instant  messaging      Newsgroups      Online  shopping  and  order  tracking      Online  banking      Online  office  suites      Domestic  and  international  payment  systems      Shopping  cart  software      Teleconferencing      Electronic  tickets       Advantages  of  eCommerce    Increased  Profit    Large  Customer  Base    Increased  purchasing  opportunity  for  the  customers    Faster  Transaction  &  Multiple  Choices    Improved  &  Easier  Payment  System    Security    Accessibility    E-­‐learning  or  Distant  Education     Disadvantages  of  eCommerce    Non  acceptance  of  eCommerce  by  Business  Processes    Technological  Issues    Scarcity  of  Potential  Customers    Cost  Benefit  Issue    Software  Issues    Legal  Issues     E-­‐Commerce  Security    Security  Issues    eCommerce  Issues    Risks    Damage  to  site    Key  distribution.  certificate  authorities                         For  Educational  Purpose  only.

 rude  language  on  home  page    Crash  web  site   -­‐  Distributed  Denial  of  Service  attacks   -­‐  Hack  into  lots  of  computers  on  the  net.   it   doesn’t   need  to  actually  work    Domain  Name  Issue    Trademark  &  Copyright  Issue    Dispute  Resolution       For  Educational  Purpose  only.     E-­‐Commerce  Issues    What  are  the  threats  to  ecommerce  sites?   -­‐  Who  are  the  likely  attackers?   -­‐  How  do  we  defend.  or  at  least  minimise  our  losses    E-­‐Commerce  security  technology   -­‐  SSL  (https).      Especially  online  payment  related  issues.  certificate  auth    Theft  from  our  bank  account    Not  getting  paid  for  a  product   -­‐  stolen  credit  card   -­‐  dishonest  customer  repudiates  purchase    Damage  to  site  (defacement.  DoS)    Theft  of  personal  data  about  customers     Damage  to  Site    Deface  web  site   -­‐  Obscene  content.  certificates.eCommerce  and  Security  Issues   Security  Issues    Confidentiality   -­‐  No  unauthorized  person  can  view  transaction    Integrity   -­‐  Information  sent  by  the  sender  should  be  received  as  is  to  avoid  ambiguity    Availability   -­‐  Information  should  be  available  24x7    Authentication   -­‐  Receiver  should  know  who  has  sent  the  information  and  a  acknowledgement  must  be  made        on  receiving  the  data.  but  judges/lawyers  don’t  know  this!    so.  get  all  of  these  to  flood  victim  with  packets  or          otherwise  attempt  to  deny  service                                -­‐  Difficult  to  stop     Legal  Issues    Legal  defense:  due  diligence   o Show  you  have  done  used  “best  available”  technology  to  protect  data   o Firewalls  are  good  for  this    Not  too  effective.    Non  –  Repudiation   -­‐  Sender  or  receiver  of  the  message  cannot  deny  of  sending  and  or  receiving  the  message.                                                                                                                            ©Vicky  D.   need   a   firewall   which   looks   impressive   and   costs   money.  Shah                                                                                                                        Page  6  of  10     .

eCommerce  and  Security  Issues   Risks    Who  pays  if  there  is  fraud   o Customer?   o Retailer  (e-­‐commerce  site)?   o Credit-­‐card  company?   o Someone  else?    Business  goal:  risk  is  fine  as  long  as  someone  else  pays!    Credit-­‐card  fraud     Secure  Servers    Servers   which   use   cryptographic   protocols   (such   as   SSL)   so   that   net   traffic   is   private   and   authenticated   -­‐  credit  card  info  cannot  be  read   -­‐  shipping  addresses  cannot  be  changed    Secure  servers   -­‐  There  are  easier  ways  of  getting  card  numbers  than  net  spying   -­‐  CC  receipts  from  recycle  bin   -­‐  bugging  phones  easier  than  tapping  Web!     Certificate  Authorities   Authenticate  public  keys  by  signing     Emerging  Technological  Aspect   – mCommerce  and  Location  Based  Service   o It  is  existing  and  there  to  stay   – eCommerce  will  be  partially  replaced  by  mCommerce   – More  sophisticated  and  organized  attacks  anticipated   – 80%  of  the  business  would  be  online     IT  ACT  2000    Basic  legal  framework  for  E-­‐Commerce  to  promote  trust  in  electronic  environment    Acceptance   of   electronic   documents   as   evidence   in   a   court   of   law   and   Acceptance   of   electronic  signatures    E-­‐Commerce   and   E-­‐Governance   as   major   applications   through   legal   sanctity   accorded   to   electronic  records  and  digital  signatures    Acceptance  of  electronic  documents  by  the  government    Defining  of  digital  signatures  based  on  asymmetric  public  key  cryptography    Establishment  of  Certifying  Authorities  to  issue    digital  signature  certificates  for  authentication   of  users  in  e-­‐commerce  &  e-­‐governance    Amendments   to   the   IT   Act   have   addressed   industry’s   concerns   on   data   protection   issues   in   that   it   creates   an   enabling   legal   environment   in   India   that   addresses   breaches   of   confidentiality  and  integrity  of  data.                 For  Educational  Purpose  only.                                                                                                                            ©Vicky  D.  Shah                                                                                                                        Page  7  of  10     .

 confirmations.  Watermarks.  Audit  Logs     Requirements  for  Public  Key  Systems   SECRECY  of  the  private  key   -­‐  Must  be  known  only  to  owner   -­‐  Key  ownership  =  Identity   AVAILABILITY  of  the  public  key   -­‐  Must  be  available  to  anyone   -­‐  Requires  a  public  directory           For  Educational  Purpose  only.  receipts.  strong  physical  presence   Non-­‐repudiation   • Signatures.  Message  Digests.     Electronic  Solution   • Confidentiality   • Data  Encryption   • Authenticity   • Digital  Signatures.  Shah                                                                                                                        Page  8  of  10     .     Authenticity   • Notaries.     • Non-­‐Repudiation   • Digital  Signatures.eCommerce  and  Security  Issues   Encryption  and  Decryption  and  Digital  Signature       What  is  Cryptography?   Science  of  secret  (hidden)  writing   kryptos  –  hidden   graphen  –to  write   Encrypt  /  encipher   Convert  plaintext  into  ciphertext   Decrypt  /  decipher   Convert  ciphertext  into  plaintext     What  is  Digital  Signature?   A  digital  signature  is  an  electronic  means  of  authenticating  an  online  identity   A  digital  signature  can:   Authenticate  the  identity  of  the  sender  of  a  message  or  signer  of  a  document   Be  used  to  ensure  that  the  original  content  of  the  message  is  unchanged     Traditional  Paper  Based  Solution   Confidentiality   • Envelopes   Integrity   • Signatures.  Certificates   • Integrity   • Hash  Algorithms.                                                                                                                            ©Vicky  D.

 Shah                                                                                                                        Page  9  of  10     .   CA   then   generates   a   certificate   for   the   user.  revocation.                                                                                                                            ©Vicky  D.   and   keeps  a  copy  of  it  in  certificate  repository     Registration   Registration  Authority  (RA)     -­‐  verification  of  user  info   -­‐  policy  enforcement   -­‐  no  liability   -­‐  only  handles  registration.  etc.eCommerce  and  Security  Issues   Certificate  Authorities  (CAs)   A   small   set   of   trusted   entities   known   as   Certificate   Authorities   (CAs)   are   established   to   sign   certificates   A  Certificate  Authority  is  an  entity  that  exists  only  to  sign  user  certificates   The  CA  signs  it’s  own  certificate  which  is  distributed  in  a  trusted  manner     Retrieving  Public  Keys   Public  keys  stored  in  repositories   Keys  can  be  retrieved  on  demand     Certification  Authorities  (CAs)   Users   send   keys   to   a   Certification   Authority.   -­‐  works  with  CA   Registration  can  be  local.  or  outsourced     Business  Implications  of  Digital  Signature   Commercial  Entities:   B2C   B2B   Non-­‐commercial  Entities:   Government   General  Society     Advantages  of  Digital  Signature   Prevent  fraud   Prevent  unauthorized  access  of  data   Preserve  data  integrity     Applications   Contract  signing   Areas  like:     -­‐Business  transactions  (e-­‐commerce)       -­‐Banking     -­‐Insurance               For  Educational  Purpose  only.  not  re-­‐issuance.

eCommerce  and  Security  Issues   Considerations    Technological   No   common   international   standard.  slow  adoption  of  IT  hinder  Digital  Signature  from  being  widely  used   For  Educational  Purpose  only.   Any   number   of   companies   will   say   their   digital-­‐signature   technology  is  the  safest  and  best    Security   Security  threat  always  exists   Hackers  are  constantly  finding  loopholes  or  cracking  codes    Social   Digital  Divide   Hitting  the  ‘critical  mass’  is  important  in  getting  the  technology  into  use   However.  Shah                                                                                                                        Page  10  of  10     .                                                                                                                            ©Vicky  D.