UNIT 3 E-Payment and E-Security

CONTENTS

 Security on Internet

 Security Terminologies

 E-Business Risk Management Issues

 Digital Token Based E-Payment System

 Properties of Electronic Cash

 Digital Signature

CMPICA
UNIT 3 E-Payment and E-Security

 Security on Internet
o The internet is a public network consisting of thousands of private computer networks
connected together.
o This means that a private computer network is exposed to potential threats from
anywhere on the public network.
o To provide required level of protection, an organization needs a security policy to
prevent unauthorized users from accessing resources on the private network.
o To protect data from unauthorized access and virus.

 Security Terminologies
 Authentication
 Authorization
 Confidentiality
 Integrity
 Non-Repudiation
1. Authentication
o The process by which one entity can verifies that another entity is who.
o Authentication is the process of verifying who you are. When you log on to a PC with a
user name and password you are authenticating.
o If the credentials are valid, the Authorization process starts. Authentication process
always proceeds to Authorization process.
o Usually, Authentication by a server involves the use of a user name and password.
o Other ways to authenticate can be through cards, retina scans, voice recognition, and
fingerprints.
o Authentication does not determine what tasks the individual can do or what files the
individual can see.
o Authentication merely identifies and verifies who the person or system is.

2. Authorization
o The process that ensures that the person has the right to access certain resources.
o Authorization is the process of verifying that you have access to something.
o Gaining access to a resource (e.g. directory on a hard disk) because the permissions
configured on it allows you access is authorization.

CMPICA PAGE 1
UNIT 3 E-Payment and E-Security

o Authorization is the process of allowing some authenticated users to access the

resources by checking whether the user has access rights to the resources or the
system. For example, Login.
o Authorization helps you to control access rights by granting or denying specific
permissions to an authenticated user.
o The type of authentication required for authorization may vary; passwords may be
required in some cases but not in others.

The difference between Authentication and Authorization

Authentication Authorization
Authentication is the process of verifying Authorization is the process of verifying
who you are. When you log on to a PC with that you have access to something.
a user name and password you are
authenticating.
Authentication = login + password (who Authorization = permissions (what you are
you are) allowed to do)
Authentication process always proceeds to Authorization is the process of allowing an
Authorization process. authenticated users to access the
resources by checking whether the user
has access rights to the resources or the
system.
Authentication by a server involves the use Authorization helps you to control access
of a user name and password. Other ways rights by granting or denying specific
to authenticate can be through cards, permissions to an authenticated user.
retina scans, voice recognition, and
fingerprints.

3. Confidentiality
o Keeping private or sensitive information from being disclosed to unauthorized
individuals, entities or processes.
o Only authorized entities are allowed to view.
o If there is any unauthorized access to data than it is known as loss of confidentiality.

4. Integrity
o The ability to protect data from being altered or destroyed by unauthorized access or
accidental manner.

CMPICA PAGE 2
UNIT 3 E-Payment and E-Security

o Ensures the message was not altered by unauthorized individuals.

o If the message is altered when being delivered than the integrity of the message is lost.

5. Non-Repudiation
o Nonrepudiation is the assurance that someone cannot deny something.
o Typically, nonrepudiation refers to the ability to ensure that a party or a communicator
cannot deny the authenticity of their signature on a document or the sending of a
message that they originated.
o Establishes sender identity so that the entity cannot deny having sent the message.

 List of Security Types

o Encryption
o Decryption
o Cryptography
o Virtual Private Network
o Biometric Systems
o Digital Signature
o Digital Certificate
o Secure Socket Layer

 Factors responsible for security issues on Internet:

1. Vulnerable TCP/IP Services
o Knowledgeable intruders/hackers access the TCP/IP services if they are not made well
secure.
o The services which are used in the local area network for the purpose of improvement
in the network management are having very high chances for the openness.
o TCP/IP services which are not provided with required level of security can easily be
accessed in an unauthorized way by the intruders.

2. Ease of Spying and Spoofing

o Spying means secretly obtaining information about the user data and system without
his/her knowledge.
o Spoofing refers tricking or misleading computer systems or other computer users. This
is typically done by hiding one's identity or faking the identity of another user on the
Internet.

CMPICA PAGE 3
UNIT 3 E-Payment and E-Security

o There are many applications like LogicMonitor, PRTG Network Monitor, Datadog,
LabTech, ipswitch.

3. Lack of Policy
o Many sites are configured unintentionally.
o Undefined Policies.
o Apart from this, they do not provide any kind of restrictions to the access of computer
systems which provide great chances for intruders to access them.

4. Complexity of Configuration
o Host security access controls are often complex to configure and monitor.
o At the time of configuration, if the controls are accidentally misconfigured, they may
result in unauthorized access.

5. Weak Authentication
o Static passwords or weak passwords can easily be cracked by the intruders.
o The two most commonly used methods are:
1. By cracking the encrypted form of the password.
2. By monitoring communication channels for password packets.
o The UNIX operating system usually stores an encrypted form of passwords in a file that
can be read by normal users.
o The password file can be easily obtained by simply copying it.
o Once the file is in hand, an intruder can run readily available password cracking tools
(Brutus, Rainbow Crack, John the Ripper, THC Hydra etc.) against the passwords.
o If the password is weak, e.g. less than 8 characters, and so on, they could be cracked and
used to gain access into the system.

 E – Payment

CMPICA PAGE 4
UNIT 3 E-Payment and E-Security

o E-payment is a subset of an e-commerce transaction to include electronic payment for

buying and selling goods or services offered through the internet.
o Electronic Payment is a financial exchange that takes place online between buyers and
sellers.
o The content of this exchange is usually some form of digital financial instruments (such
as encrypted credit card numbers, electronic cheques or digital cash) that is backed by a
bank or an intermediary, or by a legal tender.
o E-payment system is widely used in banking, retail, health care, online markets and
government now days.

 Categories of E-Tokens
1. Cash or Real Time:
o In this mode of digital tokens, transactions take place via the exchange of electronic
currency (e-cash).
2. Debit or Prepaid:
o In this electronic payment system, the prepaid facilities are provided. It means that for
transactions of information user pay in advance.
o When the transaction is done the money is immediately debited from the account used
for payment.
o This technology is widely used in smart card, electronic wallet etc.
3. Credit or Postpaid:
o These types of digital token are based on the identity of customers which issue a card,
their authentication and verification by a third party.
o In this system the server authenticates the customers and then verify their identity
through the bank.
o After all these processing the transaction takes place.
o In this type of transaction, the amount is debited from the account at the end of billing
cycle.
o Example is Credit Cards.

CMPICA PAGE 5
UNIT 3 E-Payment and E-Security

 Digital Token based E – Payment

o Digital currency can be defined as an Internet-based form of currency or medium of
exchange.
o It is distinct from physical (such as banknotes and coins) that exhibits properties similar
to physical currencies.
o It allows quick transactions and borderless transfer-of ownership. There is no
geographical boundary for this type of currency.
o The digital token based payment system is a new form of electronic payment system
which is based on” electronic tokens” rather than e-Cheque or e-cash.
o The electronic tokens are generated by the bank or some financial institutions.
o Hence we can say that the electronic tokens are equivalent to the cash which are to be
made by the bank.

 E-Business Risk Management Issues

o An E-Business is done electronically so that there are various direct and indirect issues
that affect the business in various ways.
o All those issues should be handled very carefully.
o Risk management programs are responsible to resolve them.
o E-risk Insurance is one of the risk management program which handles variety of risks
like computer virus transmission, unauthorized access, network security, computer
server errors and so on.
1. Firewall
o An internet firewall is a system or group of systems that enforces a security policy
between an organization’s network and the Internet.

CMPICA PAGE 6
UNIT 3 E-Payment and E-Security

o The Firewall determines three things:

 Which inside services may be accessed from the outside.
 Which outsiders are permitted to access permitted inside services.
 Which outside services may be accessed by insiders.
o The firewall must permit only authorized traffic to pass and remove the unwanted
requests from outside of network.
o Unfortunately, a Firewall system cannot offer any protection once an attacker has got
through or around the Firewall.
o A firewall should have the following significant features or attributes:
o Be able to support and deny all services except those specifically permitted [design
policy].
o Support your security policy.
o Be flexible and able to accommodate new services and needs if the security policy of
organization changes.
o Contain advanced authentication measures.
o Employ filtering techniques to permit or deny services to specified host systems, as
needed.
o Contain mechanisms for logging traffic and suspicious activity.
o Be updated with patches and other bug fixes, at regular intervals.

2. Define Enterprise wide Security Framework

o A security policy should include People, Process and Technology.
o The security process is a mixture of this three elements.
o Each element is dependent on the other elements.
o If any one of the below element is not present than the framework is of no use.

CMPICA PAGE 7
UNIT 3 E-Payment and E-Security

People:
o This core element is most important. The People element comprises the people and
their various roles and responsibilities within the organization.
o These are the people who execute and support the process.
o The authorization of people is maintained (who are having access to what).
o The key roles here include senior management, security administrators, system and IT
administrators, end users and auditors.
o E.g. Trained Firewall Administrator

Process(Policy):
o This element comprises the security vision statement, security policy and standards and
the control documentation.
o It is a written security environment in which security process direction and guidance
are mentioned.
o All the rules which are maintained and uniformly followed by an organization is
generally written into document format.
o E.g. Write Firewall Standards.

Technology:
o This element includes tools, methods and mechanisms in place to support the process.
o These are core technologies like the operating systems, the databases, the applications,
the security tools related to the organization.
o The technology is the application, monitoring, and operational tools that will facilitate
the process.
o E.g. Install Firewall.

 E-Cash
o For accessing the services online, e-cash is a prime method for secure online payments.
The following model shows how e cash payment system works:

CMPICA PAGE 8
UNIT 3 E-Payment and E-Security

o This is a simple model of E-cash payment system. This gives us the idea of how e-cash
payment system works. The model is explained properly in upcoming points,

1. Transaction between Customer and Issuer

o The customer approaches his issuer(bank’s) site for accessing own account for making a
transaction.
o The issuer in return issues the money in form of a token which is generally in form of
tens and hundreds or as per specified by the customer.

2. Transaction between Customer and Trader

o In second phase the customer will endorse/transfer those tokens to the merchant for
acquiring services, for which the customer will authenticate the payment for the trader.

3. Transaction between Trader and Issuer

o In third phase the trader will approach the token issuer (customer’s bank) and after
authenticating the tokens the issuing bank will convert the tokens into electronic fund
and the same will be transferred into trader’s account.

CMPICA PAGE 9
UNIT 3 E-Payment and E-Security

4. Transaction between Trader and Customer

o Finally, after getting the payment for the respective services the trader provides the
requested service or product and also notifies the customer about the approval of
payment made by customer in trader’s account.

 Properties of Electronic Cash:

1. Security
o For any E-cash system to be accepted, security is one of the prime concerns that need to
be considered.
o The originality of the message being transferred among consumers, merchants and
banks need to be secured to avoid any unauthorized individual intercepting or changing
the content of the messages.
o In order to protect E-cash from such illegal activity, E-cash system must possess quality
such as integrity, nonrepudiation and able to authenticate.
o All parties must know to whom they are dealing with, before engaging or committing in
any transaction.
o Integrity comes in place where the message sent by consumers, merchants and banks
must be exactly the same when it reaches respective recipients.
o Once the integrity and authentication are achieved, consumers, merchants or banks
could no longer deny the transaction.

2. Privacy
o Privacy in E-cash means the existence of invisibility for the consumers who made the
payment.

CMPICA PAGE 10
UNIT 3 E-Payment and E-Security

o Similar to coins and paper notes there should not be any link or trace to individual who
uses the E-cash for any transaction.
o This feature is needed in order to protect consumers’ privacy from being monitored for
the purpose of financial surveillance.
o However, invisibility results in certain danger such as fraud and blackmailing.
o Consumers should be aware that the more invisibility offered the less security achieved
by the E-cash.

3. Transferability
o Transferability features allow consumers to transfer Ecash from one person to another
without a need to refer to the bank.
o Similar to conventional cash where coins or paper notes can be transferred easily, E-
cash should be able to do the same.

4. Divisibility
o By divisible, it means E-cash should possess the ability to make change where E-cash
can be divided into small quantities to allow small value transaction possible (this is
known as micropayment).
o The challenge for divisible system is to be able to divide the E-cash value to small values
where the total of the small E-cash value is equal to the original value.

5. Monetary Value
o Electronic cash must have monetary value; it must be backed by either cash(currency).
o E-cash created by one bank must be accepted by other banks also.

6. Interoperable
o E-cash must be interoperable that is exchangeable as payment for other
 E-cash,
 paper cash,
 goods or services,
 lines of credits,
 deposits in bank accounts,
 bank notes and electronic transfer.
o If the E-cash will be widely used if it will be exchangeable.

CMPICA PAGE 11
UNIT 3 E-Payment and E-Security

 Digital Signature

o Generally, the authentication of any document in an organization is done by the

physical/ handwritten signature.
o In electronic medium the digital signature is used for proving the identity of a person.
o It is required for using Internet as a secure medium for e-Commerce.
o The digital signature is used to provide authenticity, integrity and non-repudiation to
the electronic documents.
o Informally, a digital signature is a technique for establishing the origin of a particular
message in order to settle later disputes about what message (if any) was sent.
o The purpose of a digital signature is thus for an entity to bind its identity to a message.
o We use the term signer for an entity who creates a digital signature, and the term
verifier for an entity who receives a signed message and attempts to check whether the
digital signature is “correct” or not.
o The European Community Directive on electronic signatures refers to the concept of an
electronic signature as:
“Data in electronic form attached to, or logically connected with, other electronic
data and which serves as a method of authentication.”

CMPICA PAGE 12