eCommerce and Security Issues Educational Purpose Only

Overview
This is not a comprehensive discussion
Idea is to make you aware about ecommerce and issues related to it

History of eCommerce (Source: Wikipedia.com)

The meaning of electronic commerce has changed over the last 30 years.
Originally, electronic commerce meant the facilitation of commercial transactions
electronically, using technology such as EDI and EFT. These were both introduced in the late
1970s, allowing businesses to send commercial documents like purchase orders or invoices
electronically.
The growth and acceptance of credit cards, automated teller machines (ATM) and telephone
banking in the 1980s were also forms of electronic commerce.
Another form of e-commerce was the airline reservation system typified by Sabre in the USA
and Travicom in the UK.
Online shopping was invented in the UK in 1979 by Michael Aldrich
During the 1980s it was used extensively particularly by auto manufacturers such as Ford,
Peugeot-Talbot, General Motors and Nissan.
From the 1990s onwards, electronic commerce would additionally include enterprise resource
planning systems (ERP), data mining and data warehousing.
Although the Internet became popular worldwide in 1994, it took about five years to introduce
security protocols and DSL allowing continual connection to the Internet.
By the end of 2000, a lot of European and American business companies offered their services
through the World Wide Web. Since then people began to associate a word "ecommerce" with
the ability of purchasing various goods through the Internet using secure protocols and
electronic payment services.
India started using eCommerce roughly by 2002 onwards.

eCommerce:
Electronic commerce, commonly known as e-commerce or eCommerce, consists of the buying
and selling of products or services over electronic systems such as the Internet and other
computer networks.
Modern electronic commerce typically uses the World Wide Web at least at some point in the
transaction's lifecycle, although it can encompass a wider range of technologies such as e-mail
as well.
Electronic commerce is generally considered to be the sales aspect of e-business. It also
consists of the exchange of data to facilitate the financing and payment aspects of the business
transactions.
Thus, eCommerce is the process of buying and selling or exchanging of products, services; and
information via computer networks including the Internet.
Electronic commerce that is conducted between businesses is referred to as business-to-
business or B2B. B2B can be open to all interested parties (e.g. commodity exchange) or
limited to specific, pre-qualified participants (private electronic market).
Electronic commerce that is conducted between businesses and consumers, on the other
hand, is referred to as business-to-consumer or B2C. This is the type of electronic commerce
conducted by companies such as Amazon.com.
 eCommerce and Security Issues Educational Purpose Only

eCommerce Perspective:
From a communications perspective, it is the delivery of information, products/services, or
payments over telephone lines, computer networks, or any other electronic means.
From a business process perspective, it is the application of technology to-ward the
automation of business transactions and work flow.
From a service perspective, it is a tool that addresses the desire of firms, consumers, and
management to cut service costs while improving the quality of goods and increasing the
speed of service delivery.
From an online perspective, it provides the capability of buying and selling products and
information on the Internet and other online services.

Electronic data Interchange - EDI

Developed in early 60s as means of accelerating the movement of documents pertaining to
shipments and transportation.
It is defined as electronic transfer from one computer to another of computer proccesable
data using an agreed standard to structure the data.
The National Institute of Standards and Technology in a 1996 publication defines Electronic
Data Interchange as "the computer-to-computer interchange of strictly formatted messages
that represent documents other than monetary instruments.
Only when there is an error, or for quality review, and for special situations human
intervention is allowed.

Electronic Funds Transfer EFT

It is defined as any transfer of funds initiated through an electronic terminal, telephonic
instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial
institution to debit or credit an account.
The term is used for a number of different concepts:
Cardholder-initiated transactions, where a cardholder makes use of a payment card
Direct deposit payroll payments for a business to its employees, possibly via a payroll
services company
Direct debit payments from customer to business, where the transaction is initiated by the
business with customer permission
Electronic bill payment in online banking, which may be delivered by EFT or paper check
Transactions involving stored value of electronic money, possibly in a private currency
Wire transfer via an international banking network (generally carries a higher fee)

Payment System
A payment system is a system (including physical or electronic infrastructure and associated
procedures and protocols) used to settle financial transactions in market (bond markets,
currency markets, futures, derivatives, etc or to transfer funds between financial institutions.
E.G: Payment Gateway
PayPal
PaisePay
CC Avenue

Intranet and Extranet

 eCommerce and Security Issues Educational Purpose Only

An "intranet" is the generic term for a collection of private computer networks within an
organization.
Extranets are extended intranets connecting organizations, which may include personnel,
customers, suppliers and strategic partners. An extranet is one way in which a firm can
improve their offering and remain competitive.
Intranets and extranets are communication tools designed to enable easy information sharing
within workgroups.
E. G Intranet: Many schools and non-profit groups have deployed intranets, but an intranet is
still seen primarily as a corporate productivity tool.
E.G Extranet: Allowing controlled access to an otherwise private company network enables
business-to-business transactions and file sharing.

Value Chain in eCommerce

Primary Activities
Identifying Customers
Design
Purchase Material & Supply
Manufacturing
Market & Sell
Delivery of Products
Providing after sale service and support

Supporting Activities
Finance & Administration
Human Resource
Developing Technology

Elements Responsible - Success of eCommerce

Finance
Technology
Team
Back-office
Strategic alliances
Initial marketing efforts
Competition
Target audience
Transaction Security
Network Security
Reliability
Speed
Brand Awareness
Traffic Volumes
Community Building and
Stickiness

eCommerce Business Model

 eCommerce and Security Issues Educational Purpose Only

Business Model - Type of Transaction

Business to Business - B2B
Business to Consumer - B2C
Consumer to Consumer - C2C
Business to Anyone - B2A

Business Model Type of Operation

Model 1, 2 and 3 under following categories
1) Product Information
2) Order Registration
3) Order Execution
4) Payment Collection

Operations Model A Model B Model C

1) Product Information Online Online Online

2) Order Registration Online Online Online
3) Order Execution Online Offline Offline
4) Payment Collection Online Online Offline

Business Model Type of connectivity

Using EDI Connectivity
- Governments
Using VPN Connectivity
- Private companies
Using Internet Connectivity
- For end users

Business Model Revenue

Subscription Revenue Model
- Hosting services, etc
Advertising Revenue Model
- Google search engine, etc
Commission Model
- eBay, etc

Application of eCommerce
 eCommerce and Security Issues Educational Purpose Only

Email
Enterprise content management
Instant messaging
Newsgroups
Online shopping and order tracking
Online banking
Online office suites
Domestic and international payment systems
Shopping cart software
Teleconferencing
Electronic tickets

Advantages of eCommerce
Increased Profit
Large Customer Base
Increased purchasing opportunity for the customers
Faster Transaction & Multiple Choices
Improved & Easier Payment System
Security
Accessibility
E-learning or Distant Education

Disadvantages of eCommerce
Non acceptance of eCommerce by Business Processes
Technological Issues
Scarcity of Potential Customers
Cost Benefit Issue
Software Issues
Legal Issues

E-Commerce Security
Security Issues
eCommerce Issues
Risks
Damage to site
Key distribution, certificate authorities

Security Issues
 eCommerce and Security Issues Educational Purpose Only

Confidentiality
- No unauthorized person can view transaction
Integrity
- Information sent by the sender should be received as is to avoid ambiguity
Availability
- Information should be available 24x7
Authentication
- Receiver should know who has sent the information and a acknowledgement must be made
on receiving the data.
Non Repudiation
- Sender or receiver of the message cannot deny of sending and or receiving the message.
Especially online payment related issues.

E-Commerce Issues
What are the threats to ecommerce sites?
- Who are the likely attackers?
- How do we defend, or at least minimise our losses
E-Commerce security technology
- SSL (https), certificates, certificate auth
Theft from our bank account
Not getting paid for a product
- stolen credit card
- dishonest customer repudiates purchase
Damage to site (defacement, DoS)
Theft of personal data about customers

Damage to Site
Deface web site
- Obscene content, rude language on home page
Crash web site
- Distributed Denial of Service attacks
- Hack into lots of computers on the net, get all of these to flood victim with packets or
otherwise attempt to deny service
- Difficult to stop

Legal Issues
Legal defense: due diligence
o Show you have done used best available technology to protect data
o Firewalls are good for this
Not too effective, but judges/lawyers dont know this!
so, need a firewall which looks impressive and costs money, it doesnt
need to actually work
Domain Name Issue
Trademark & Copyright Issue
Dispute Resolution

Risks
 eCommerce and Security Issues Educational Purpose Only

Who pays if there is fraud

o Customer?
o Retailer (e-commerce site)?
o Credit-card company?
o Someone else?
Business goal: risk is fine as long as someone else pays!
Credit-card fraud

Secure Servers
Servers which use cryptographic protocols (such as SSL) so that net traffic is private and
authenticated
- credit card info cannot be read
- shipping addresses cannot be changed
Secure servers
- There are easier ways of getting card numbers than net spying
- CC receipts from recycle bin
- bugging phones easier than tapping Web!

Certificate Authorities
Authenticate public keys by signing

Emerging Technological Aspect

mCommerce and Location Based Service
o It is existing and there to stay
eCommerce will be partially replaced by mCommerce
More sophisticated and organized attacks anticipated
80% of the business would be online

IT ACT 2000
Basic legal framework for E-Commerce to promote trust in electronic environment
Acceptance of electronic documents as evidence in a court of law and Acceptance of
electronic signatures
E-Commerce and E-Governance as major applications through legal sanctity accorded to
electronic records and digital signatures
Acceptance of electronic documents by the government
Defining of digital signatures based on asymmetric public key cryptography
Establishment of Certifying Authorities to issue digital signature certificates for authentication
of users in e-commerce & e-governance
Amendments to the IT Act have addressed industrys concerns on data protection issues in
that it creates an enabling legal environment in India that addresses breaches of
confidentiality and integrity of data.
 eCommerce and Security Issues Educational Purpose Only

Encryption and Decryption and Digital Signature

What is Cryptography?
Science of secret (hidden) writing
kryptos hidden
graphen to write
Encrypt / encipher
Convert plaintext into ciphertext
Decrypt / decipher
Convert ciphertext into plaintext

What is Digital Signature?

A digital signature is an electronic means of authenticating an online identity
A digital signature can:
Authenticate the identity of the sender of a message or signer of a document
Be used to ensure that the original content of the message is unchanged

Traditional Paper Based Solution

Confidentiality
Envelopes
Integrity
Signatures, Watermarks,
Authenticity
Notaries, strong physical presence
Non-repudiation
Signatures, receipts, confirmations.

Electronic Solution
Confidentiality
Data Encryption
Authenticity
Digital Signatures, Certificates
Integrity
Hash Algorithms, Message Digests,
Non-Repudiation
Digital Signatures, Audit Logs

Requirements for Public Key Systems

SECRECY of the private key
- Must be known only to owner
- Key ownership = Identity
AVAILABILITY of the public key
- Must be available to anyone
- Requires a public directory
 eCommerce and Security Issues Educational Purpose Only

Certificate Authorities (CAs)

A small set of trusted entities known as Certificate Authorities (CAs) are established to sign
certificates
A Certificate Authority is an entity that exists only to sign user certificates
The CA signs its own certificate which is distributed in a trusted manner

Retrieving Public Keys

Public keys stored in repositories
Keys can be retrieved on demand

Certification Authorities (CAs)

Users send keys to a Certification Authority. CA then generates a certificate for the user, and
keeps a copy of it in certificate repository

Registration
Registration Authority (RA)
- verification of user info
- policy enforcement
- no liability
- only handles registration, not re-issuance, revocation, etc.
- works with CA
Registration can be local, or outsourced

Business Implications of Digital Signature

Commercial Entities:
B2C
B2B
Non-commercial Entities:
Government
General Society

Advantages of Digital Signature

Prevent fraud
Prevent unauthorized access of data
Preserve data integrity

Applications
Contract signing
Areas like:
-Business transactions (e-commerce)
-Banking
-Insurance
 eCommerce and Security Issues Educational Purpose Only

Considerations
Technological
No common international standard. Any number of companies will say their digital-signature
technology is the safest and best
Security
Security threat always exists
Hackers are constantly finding loopholes or cracking codes
Social
Digital Divide
Hitting the critical mass is important in getting the technology into use
However, slow adoption of IT hinder Digital Signature from being widely used