Professional Documents
Culture Documents
Unit3 E-Payment With E-Security
Unit3 E-Payment With E-Security
CONTENTS
Security on Internet
Security Terminologies
Digital Signature
CMPICA
UNIT 3 E-Payment and E-Security
Security on Internet
o The internet is a public network consisting of thousands of private computer networks
connected together.
o This means that a private computer network is exposed to potential threats from
anywhere on the public network.
o To provide required level of protection, an organization needs a security policy to
prevent unauthorized users from accessing resources on the private network.
o To protect data from unauthorized access and virus.
Security Terminologies
Authentication
Authorization
Confidentiality
Integrity
Non-Repudiation
1. Authentication
o The process by which one entity can verifies that another entity is who.
o Authentication is the process of verifying who you are. When you log on to a PC with a
user name and password you are authenticating.
o If the credentials are valid, the Authorization process starts. Authentication process
always proceeds to Authorization process.
o Usually, Authentication by a server involves the use of a user name and password.
o Other ways to authenticate can be through cards, retina scans, voice recognition, and
fingerprints.
o Authentication does not determine what tasks the individual can do or what files the
individual can see.
o Authentication merely identifies and verifies who the person or system is.
2. Authorization
o The process that ensures that the person has the right to access certain resources.
o Authorization is the process of verifying that you have access to something.
o Gaining access to a resource (e.g. directory on a hard disk) because the permissions
configured on it allows you access is authorization.
CMPICA PAGE 1
UNIT 3 E-Payment and E-Security
Authentication Authorization
Authentication is the process of verifying Authorization is the process of verifying
who you are. When you log on to a PC with that you have access to something.
a user name and password you are
authenticating.
Authentication = login + password (who Authorization = permissions (what you are
you are) allowed to do)
Authentication process always proceeds to Authorization is the process of allowing an
Authorization process. authenticated users to access the
resources by checking whether the user
has access rights to the resources or the
system.
Authentication by a server involves the use Authorization helps you to control access
of a user name and password. Other ways rights by granting or denying specific
to authenticate can be through cards, permissions to an authenticated user.
retina scans, voice recognition, and
fingerprints.
3. Confidentiality
o Keeping private or sensitive information from being disclosed to unauthorized
individuals, entities or processes.
o Only authorized entities are allowed to view.
o If there is any unauthorized access to data than it is known as loss of confidentiality.
4. Integrity
o The ability to protect data from being altered or destroyed by unauthorized access or
accidental manner.
CMPICA PAGE 2
UNIT 3 E-Payment and E-Security
5. Non-Repudiation
o Nonrepudiation is the assurance that someone cannot deny something.
o Typically, nonrepudiation refers to the ability to ensure that a party or a communicator
cannot deny the authenticity of their signature on a document or the sending of a
message that they originated.
o Establishes sender identity so that the entity cannot deny having sent the message.
CMPICA PAGE 3
UNIT 3 E-Payment and E-Security
o There are many applications like LogicMonitor, PRTG Network Monitor, Datadog,
LabTech, ipswitch.
3. Lack of Policy
o Many sites are configured unintentionally.
o Undefined Policies.
o Apart from this, they do not provide any kind of restrictions to the access of computer
systems which provide great chances for intruders to access them.
4. Complexity of Configuration
o Host security access controls are often complex to configure and monitor.
o At the time of configuration, if the controls are accidentally misconfigured, they may
result in unauthorized access.
5. Weak Authentication
o Static passwords or weak passwords can easily be cracked by the intruders.
o The two most commonly used methods are:
1. By cracking the encrypted form of the password.
2. By monitoring communication channels for password packets.
o The UNIX operating system usually stores an encrypted form of passwords in a file that
can be read by normal users.
o The password file can be easily obtained by simply copying it.
o Once the file is in hand, an intruder can run readily available password cracking tools
(Brutus, Rainbow Crack, John the Ripper, THC Hydra etc.) against the passwords.
o If the password is weak, e.g. less than 8 characters, and so on, they could be cracked and
used to gain access into the system.
E – Payment
CMPICA PAGE 4
UNIT 3 E-Payment and E-Security
Categories of E-Tokens
1. Cash or Real Time:
o In this mode of digital tokens, transactions take place via the exchange of electronic
currency (e-cash).
2. Debit or Prepaid:
o In this electronic payment system, the prepaid facilities are provided. It means that for
transactions of information user pay in advance.
o When the transaction is done the money is immediately debited from the account used
for payment.
o This technology is widely used in smart card, electronic wallet etc.
3. Credit or Postpaid:
o These types of digital token are based on the identity of customers which issue a card,
their authentication and verification by a third party.
o In this system the server authenticates the customers and then verify their identity
through the bank.
o After all these processing the transaction takes place.
o In this type of transaction, the amount is debited from the account at the end of billing
cycle.
o Example is Credit Cards.
CMPICA PAGE 5
UNIT 3 E-Payment and E-Security
CMPICA PAGE 6
UNIT 3 E-Payment and E-Security
CMPICA PAGE 7
UNIT 3 E-Payment and E-Security
People:
o This core element is most important. The People element comprises the people and
their various roles and responsibilities within the organization.
o These are the people who execute and support the process.
o The authorization of people is maintained (who are having access to what).
o The key roles here include senior management, security administrators, system and IT
administrators, end users and auditors.
o E.g. Trained Firewall Administrator
Process(Policy):
o This element comprises the security vision statement, security policy and standards and
the control documentation.
o It is a written security environment in which security process direction and guidance
are mentioned.
o All the rules which are maintained and uniformly followed by an organization is
generally written into document format.
o E.g. Write Firewall Standards.
Technology:
o This element includes tools, methods and mechanisms in place to support the process.
o These are core technologies like the operating systems, the databases, the applications,
the security tools related to the organization.
o The technology is the application, monitoring, and operational tools that will facilitate
the process.
o E.g. Install Firewall.
E-Cash
o For accessing the services online, e-cash is a prime method for secure online payments.
The following model shows how e cash payment system works:
CMPICA PAGE 8
UNIT 3 E-Payment and E-Security
o This is a simple model of E-cash payment system. This gives us the idea of how e-cash
payment system works. The model is explained properly in upcoming points,
CMPICA PAGE 9
UNIT 3 E-Payment and E-Security
2. Privacy
o Privacy in E-cash means the existence of invisibility for the consumers who made the
payment.
CMPICA PAGE 10
UNIT 3 E-Payment and E-Security
o Similar to coins and paper notes there should not be any link or trace to individual who
uses the E-cash for any transaction.
o This feature is needed in order to protect consumers’ privacy from being monitored for
the purpose of financial surveillance.
o However, invisibility results in certain danger such as fraud and blackmailing.
o Consumers should be aware that the more invisibility offered the less security achieved
by the E-cash.
3. Transferability
o Transferability features allow consumers to transfer Ecash from one person to another
without a need to refer to the bank.
o Similar to conventional cash where coins or paper notes can be transferred easily, E-
cash should be able to do the same.
4. Divisibility
o By divisible, it means E-cash should possess the ability to make change where E-cash
can be divided into small quantities to allow small value transaction possible (this is
known as micropayment).
o The challenge for divisible system is to be able to divide the E-cash value to small values
where the total of the small E-cash value is equal to the original value.
5. Monetary Value
o Electronic cash must have monetary value; it must be backed by either cash(currency).
o E-cash created by one bank must be accepted by other banks also.
6. Interoperable
o E-cash must be interoperable that is exchangeable as payment for other
E-cash,
paper cash,
goods or services,
lines of credits,
deposits in bank accounts,
bank notes and electronic transfer.
o If the E-cash will be widely used if it will be exchangeable.
CMPICA PAGE 11
UNIT 3 E-Payment and E-Security
Digital Signature
CMPICA PAGE 12