Business Systems ii

E-Commerce - Security

Resource Person

Amila N. Jayarathna
MSc in IT (UoM), BSc.Business IT.Sp (RUSL)

P.Dip.Software Engineering (PCJT), MAAT

 Essential requirements for safe
e-payments/transaction
Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission.

Integrity − Information should not be altered during its transmission over the network.

Availability − Information should be available wherever and whenever required within a time limit specified.

Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information.

Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender
should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt.

Encryption − Information should be encrypted and decrypted only by an authorized user.

Auditability − Data should be recorded in such a way that it can be audited for integrity requirements.
Measures to ensure Security (Major security measures are following)

Encryption − It is a very effective and practical way to safeguard the data being transmitted
over the network. Sender of the information encrypts the data using a secret code and only
the specified receiver can decrypt the data using the same or a different secret code.

Digital Signature − Digital signature ensures the authenticity of the information. A digital
signature is an e-signature authenticated through encryption and password.

Security Certificates − Security certificate is a unique digital id used to verify the identity of
an individual website or user.
Security Protocols in Internet
We will discuss here some of the popular protocols used over the internet
to ensure secured online transactions.

• Secure Socket Layer (SSL)

It is the most commonly used protocol and is widely used across the
industry.

• Secure Hypertext Transfer Protocol (SHTTP)

• Secure Electronic Transaction

Secure Socket Layer (SSL)
It is the most commonly used protocol and is widely used across the
industry. It meets following security requirements.

• Authentication
• Encryption
• Integrity
• Non-reputability

"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be

used for HTTP urls without SSL.
Secure Hypertext Transfer Protocol
(SHTTP)
SHTTP extends the HTTP internet protocol with public key encryption,
authentication, and digital signature over the internet. Secure HTTP
supports multiple security mechanism, providing security to the end-
users. SHTTP works by negotiating encryption scheme types used
between the client and the server.
Secure Electronic Transaction
It is a secure protocol developed by MasterCard and Visa in collaboration.
Theoretically, it is the best security protocol. It has the following components.
• Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to
make secure purchases online via point and click interface.
• Merchant Software − This software helps merchants to communicate with
potential customers and financial institutions in a secure manner.
• Payment Gateway Server Software − Payment gateway provides automatic and
standard payment process. It supports the process for merchant's certificate
request.
• Certificate Authority Software − This software is used by financial institutions to
issue digital certificates to card holders and merchants, and to enable them to
register their account agreements for secure electronic commerce.
Cryptography

Cryptography is technique of securing information and

communications through use of codes so that only those
person for whom the information is intended can understand it
and process it. Thus preventing unauthorized access to
information. The prefix “crypt” means “hidden” and suffix
“graphy” means “writing”.
In Cryptography the techniques which are use to protect
information are obtained from mathematical concepts and a
set of rule based calculations known as algorithms to convert
messages in ways that make it hard to decode it.
Features Of Cryptography

• Confidentiality: Information can only be accessed by the person for whom it

is intended and no other person except him can access it.
• Integrity: Information cannot be modified in storage or transition between
sender and intended receiver without any addition to information being
detected.
• Non-repudiation: The creator/sender of information cannot deny his
intention to send information at later stage.
• Authentication: The identities of sender and receiver are confirmed. As well
as destination/origin of information is confirmed.
Applications
of End-to-End
Encryption
Computer
passwords

Cryptography
Cryptocurrencies Digital Currencies

Secure web
Authentication
browsing

Electronic
signatures
 Advantages

ACCESS CONTROL SECURE PROTECTION AGAINST COMPLIANCE WITH

COMMUNICATION ATTACKS LEGAL REQUIREMENTS
Cryptography
Digital signatures
Encryption – Process of converting
electronic data into another form, called
ciphertext, which cannot be easily
understood by anyone except the
authorized parties. This assures data
security.
Decryption– Process of translating code
to data.
Cryptography Digital signatures cont,
A key in cryptography is a piece of information, usually a string of
numbers or letters that are stored in a file, which, when processed
through a cryptographic algorithm, can encode or decode
cryptographic data.

Public key – Key which is known to everyone. Ex-public key of A is 7,

this information is known to everyone.
Private key – Key which is only known to the person who’s private key it
is.
Digital Signature

A digital signature is a
mathematical technique
used to validate the
authenticity and integrity of
a message, software, or
digital document.
Benefits of Digital Signatures
• Legal documents and contracts: Digital signatures are legally binding. This makes them ideal for any legal document that requires a
signature authenticated by one or more parties and guarantees that the record has not been altered.

• Sales contracts: Digital signing of contracts and sales contracts authenticates the identity of the seller and the buyer, and both parties
can be sure that the signatures are legally binding and that the terms of the agreement have not been changed.

• Financial Documents: Finance departments digitally sign invoices so customers can trust that the payment request is from the right
seller, not from a bad actor trying to trick the buyer into sending payments to a fraudulent account.

• Health Data: In the healthcare industry, privacy is paramount for both patient records and research data. Digital signatures ensure that
this confidential information was not modified when it was transmitted between the consenting parties.

• Federal, state, and local government agencies have stricter policies and regulations than many private sector companies. From
approving permits to stamping them on a timesheet, digital signatures can optimize productivity by ensuring the right person is
involved with the proper approvals.

• Shipping Documents: Helps manufacturers avoid costly shipping errors by ensuring cargo manifests or bills of lading are always correct.
However, physical papers are cumbersome, not always easily accessible during transport, and can be lost. By digitally signing shipping
documents, the sender and recipient can quickly access a file, check that the signature is up to date, and ensure that no tampering has
occurred.
Drawbacks of Digital Signatures
• Dependence on Key Management: Digital signatures rely on the secure management of cryptographic keys. This
means that the sender must keep their private key safe and secure from unauthorized access, while the recipient
must verify the sender’s public key to ensure its authenticity. Any failure in key management can compromise
the security of the digital signature.
• Complexity: Digital signatures require a complex process of key generation, signing, and verification. This can
make them difficult to implement and use for non-technical users.
• Compatibility: Different digital signature algorithms and formats may not be compatible with each other, making
it difficult to exchange signed messages across different systems and applications.
• Legal Recognition: Although digital signatures have legal recognition in many countries, their legal status may
not be clear in all jurisdictions. This can limit their usefulness in legal or regulatory contexts.
• Revocation: In case of key compromise or other security issues, digital signatures must be revoked to prevent
their misuse. However, the revocation process can be complex and may not be effective in all cases.
• Cost: Digital signatures may involve additional costs for key management, certificate issuance, and other related
services, which can make them expensive for some users or organizations.
• Limited Scope: Digital signatures provide authentication and integrity protection for a message, but they do not
provide confidentiality or protection against other types of attacks, such as denial-of-service attacks or malware.
Digital Certificate
Digital certificate is issued by a trusted third
party which proves sender’s identity to the
receiver and receiver’s identity to the sender.
A digital certificate is a certificate issued by a
Certificate Authority (CA) to verify the identity
of the certificate holder. The CA issues an
encrypted digital certificate containing the
applicant’s public key and a variety of other
identification information. Digital certificate is
used to attach public key with a particular
individual or an entity.
Digital certificate is also sent with the digital
signature and the message.
Digital certificate vs digital signature :
Digital signature is used to verify authenticity,
integrity, non-repudiation ,i.e. it is assuring
that the message is sent by the known user
and not modified, while digital certificate is
used to verify the identity of the user, maybe
sender or receiver.
Thus, digital signature and certificate are
different kind of things but both are used for
security. Most websites use digital certificate
to enhance trust of their users.
Authentication Protocols
Authentication protocols are
methods or procedures used to
verify the identity of a user, device,
or system. These protocols are
designed to ensure that only
authorized users or devices are able
to access protected resources, and
to prevent unauthorized access or
tampering.
Most common authentication protocols

Lightweight
Kerberos Directory Access OAuth2
Protocol (LDAP)

SAML RADIUS
Malicious
Websites
Phishing
What Is Payment Security?
Payment security involves the steps businesses take to make sure that their customers’ data
is protected and to avoid unauthorized transactions and data breaches. Important aspects of
payment security include following protocols such as PCI Compliance and 3-D Secure
(3DS).

Types of Payment Security

• Tokenization
• Address Verification Service (AVS)
• Card Verification Value (CVV)
• 3-D Secure (3DS)
 Consider the following online payment security
best practices to protect your customers and
business.

01 02 03 04 05 06
Use two-factor Verify every Choose a secure e- Buy cyber liability Use a personal Don't store
authentication. ... transaction. ... commerce platform insurance. ... verification customer payment
and payment system. ... data.
provider. ...
End ..