INTRODUCTION & SECURITY ISSUES

IN
E-COMMERCE

Presented By:-
Amit Kumar Srivastava
2010IS09
M.Tech 1st year
Outline
• Introduction of E-commerce
– Definition of e-commerce
– History of E-Commerce
• Type of E-commerce
• Issues in developing e-commerce applications
• Security Issues
• Solution of Security Issues
Introduction of E-commerce
Electronic Commerce (E-Commerce)

• Commerce refers to all the activities the

purchase and sales of goods or services.
– Marketing, sales, payment, fulfillment, customer
service

• Electronic Commerce is doing commerce with

the use of computers, networks and
commerce-enabled software (more than just
online shopping)
 E-Commerce……….

•Anything that uses electronic technology in order

to do business can be intended as e-business.

•We can look at E-Commerce as to a subset of e-

business concerning commerce.
Definition of e-commerce
• “e-commerce is based on the electronic
processing and transmission of data. It
encompasses many diverse activities including
electronic trading of goods and services, on-
line delivery of digital content, electronic fund
transfer, electronic share trading, public
procurement.”
Brief History
• 1970s: Electronic Funds Transfer (EFT)
– Used by the banking industry to exchange account information over
secured networks

• Late 1970s and early 1980s: Electronic Data Interchange

(EDI) for e-commerce within companies
– Used by businesses to transmit data from one business to another

• 1990s: the World Wide Web on the Internet provides easy-to-

use technology for information publishing and dissemination
– Cheaper to do business (economies of scale)
– Enable diverse business activities (economies of scope)
Types of E-commerce
• Three main categories:
– Business to consumer (B2C)
– Business to business (B2B)
– Consumer to consumer (C2C)
• Other categories:
– Business to government (B2G)
– Mobile Commerce
 B2C applications
• Offer directly to the customer an interface of activity
– Typical examples:
• Online book store (e.g. amazon.com)
• Online car purchasing (e.g. automall.com)
• Booking and purchase of airline tickets (e.g. ryanair.com)
• Correspond to retail sale
• Growth of B2C applications thanks to Internet
• A new kind of B2C applications are the Cybermalls
 B2C applications:
advantages and disadvantages
• Advantages:
– Allow company to extend existing services to customers
– Allow company to increase its customers
– Offer a wider choice and allow cheaper prices
– May give to the company a worldwide visibility
– Online shops are accessible 24/7.
• Disadvantages:
– Low order conversion rates
– High risk (see Cyberphobia)
 B2B applications
• Realize transactions needed to perform
financial or commercial activities by
companies over the Internet
• Some typical applications:
– E-procurement
– E-Marketplace
• The turnover is much greater than that dealed
with B2C applications
 B2B applications:
advantages and disadvantages
• Advantages:
– Help to automate communications between
companies making them easier and quicker
– Allow to cut prices drastically
– Help in reducing mistakes
• Disadvantages:
– Often need legacy integration
 C2C applications
• Concern the consumers who run negotations
with other consumers sometimes utilizing as
intermediary a company
– Examples:
• Ebay
• Autotrader.com
 C2C applications:
advantages and disadvantages
• Advantages
– Allow consumers to interact directly among them
– Give to the consumers a new way of purchasing
and selling services and goods
• Disadvantages
– Little earning capacity
 B2G applications
• Correspond to all kind of transactions
between company and public administrator
• Utilized mostly in the USA
 Issues in developing e-commerce
applications
• Many of the following issues:
– Security
– Flexibility
– Scalability
– Fault tolerance
– Integration
– Interfaces (graphical and not)
– Time-to-market
are common to many applications, but they are all
critical in the case of e-commerce because of its
nature
• A state-of-the-art application always fail if people do
not utilize it
– A constant attention must be payed to the users over the
whole development process

• A close integration with every business aspect is

needed:
– For an online buyer security and easy access to the
informations are the primal needs
– A manager will need a flexible application to adapt the
business to the new trends in a faster way
 Security Issues
1).Security is a crucial feature
(i) Most transactions take place in a fully automated way
(ii) Restricted data are transmitted through a public network
(iii)Users must be sure that their money will not be lost or
stolen
2).Access Security Threats
3).Trusting the medium
– Am I connected to the correct web site?
– Is the right person using the other computer?
– Did the appropriate party send the last email?
– Did the last message get there in time, correctly?
Security Issues...........
4).This massive increase in the uptake of e-commerce has
led to a new generation of associated security threats,
but any e-commerce system must meet four integral
requirements:
a) privacy – information exchanged must be kept
from unauthorized parties
b) integrity – the exchanged information must not
be altered or tampered with
c) authentication – both sender and recipient must
prove their identities to each other and
d) non-repudiation – proof is required that the
exchanged information was indeed received
Solution for security issues in E-commerce
For (1) issues…..

• Public-Key Infrastructure (PKI)

– Distribute key pairs to all interested entities
– Certify public keys in a “trusted” fashion
• The Certificate Authority

– Secure protocols between entities

– Digital Signatures, trusted records and non-
repudiation
For (1)……
Secure Electronic Transactions
• Cryptographic protocol
• Developed by Visa, MasterCard, Netscape, and Microsoft
• Used for credit card transactions on the Web
• Provides
– Authentication of all parties in transaction
– Confidentiality: transaction is encrypted to foil
eavesdroppers
– Message integrity: not possible to alter account number or
transaction amount
– Linkage: attachments can only be read by 3rd party if
necessary
Secure Electronic Transactions……

• SET protocol supports all features of credit card system

– Cardholder registration
– Merchant registration
– Purchase requests
– Payment authorizations
– Funds transfer (payment capture)
– Chargeback (refunds)
– Credits
– Credit reversals
– Debit card transactions
• SET can manage
– real-time & batch transactions
– installment payments
 Secure Electronic Transaction
1. Customer browses and decides to purchase

2. SET sends order and payment information

Merchant
Customer
7. Merchant completes order

3. Merchant forwards
8. Merchant captures payment information
transaction to bank

9. Issuer sends credit card

bill to customer

6. Bank authorizes
payment

4. Bank checks with

issuer for payment
Bank authorization Bank

5. Issuer authorizes
payment
Customer’s bank
“Issuer” Merchant’s bank
For (1)(ii)……
Securing Private Networks
• Minimize external access to LAN
• Done by means of firewalls and proxy servers
• Firewalls provide a secure interface between an
“inner” trusted network and “outer” untrusted
network
• every packet to and from inner and outer
network is “processed”
• Firewalls require hardware and software to
implement
For (1) (ii)……
Securing Private Networks
• Software that is used are proxies and filters
that allow or deny network traffic access to
either network
• Proxy programs
– application-level
– circuit-level
• Filters
– packet filtering
Access Security Threats
• Access Control
– Threats
– Webjacking(Illegal access of server computing system)
– Countermeasures
• User Authentication
• User Authorization
• Denial of Service
– Threat
• Unable to user server resources
• Type of DOS Attacks
– Counter Measures (limited)
• Firewalls
• System Configuration
Solution For (2)
Access Control
• User authentication
– process used to identify user who accesses a web
server
– determines legitimate user
– Generally referred to as access control
• User authorization
– once user authenticated specifies what server
resources that user may access
– resources are: files, scripts, and directories
Solution For (2)………
User Authentication
• Several type of access control
– Based on IP address
• validates web browser based on its host’s IP address
– Based on Domain Name
• validates web browser based on its host’s domain name
– Based on user name and password
• User of browser is validated on basis of user ID and its associated
password
– Based on client certificates
• remote user is issued a secure certificate to use as a digital signature
– Based on network security protocols
• solves validation problems associated with accessing via LAN and
WAN
• e.g. Kerberos and DCE
Authentication based on host IP address and/or
DNS name
• Screen browsers based on their source IP
address, Domain Name, network, or subnetworks
• Advantages
– easy to set up
– not likely to be incorrectly configured
• Disadvantages
– difficult to grant access to users who migrate
– difficult hand DHCP protocol and Web proxies
– security issues of
• DNS spoofing
• IP spoofing
 Authentication Based on User ID and Password

• Requires user to provide protected information in order to be

authenticated
• Advantages
– Authenticates users not hosts
– Users can migrate from host to host
– No problems with Web proxies or DHCP
• Disadvantages
– Users share passwords, forget passwords, do not keep
passwords private, or choose poor passwords
– passwords can be “sniffed” if transmitted over a network
Authentication Based on User ID and Password…..
• Countermeasures to disadvantages
– Users share passwords, forget passwords, do not keep passwords private, or
they choose poor passwords
• User education
• Chose hard passwords but easy to remember
• Countermeasures to disadvantages
– passwords can be “sniffed” if transmitted over a network
• Basic authentication is carryout in plain text but coded in Base 64 MIME -
HTTP/1.0
• Can be intercepted and decoded
• Since HTTP protocol stateless every access to protected resource needs to
be authenticated
• Basic Authentication process occurs frequently hence more opportunity to
be sniffed.
– Use secure transmissions
• HTTP/1.1 uses Digest Authentication process
• Use encrypted communications e.g. SSL connection
Other Forms of Access Control
• Kerberos authentication model
– Uses a secure “key server”
– Once user authenticated free to use any resources
of the system
– All transmissions are encrypted
• Distributed Computing Environment
– DCE is designed by Open Software Foundation
– Similar to Kerberos authentication model
• Two Factor Authentication
• need something you have - ATM card
• need something you know - PIN number
Other Forms of Access Control……

• Smart Card Type

– token access device that has information that is in
sync with server information (e.g. counter, time,
random number generator, etc.)
– “One time pad” of user name and password
For (3)…
Client Based Certificate System
• Certificates
– when user logs on (presents their certificate) the
authentication server verifies the certificate is valid by
opening it with the CA’s public key
– certificate contains users public key and personal
information.
– Server sends a challenge to the user - a one-time
value the user signs with their private key
– Server then signs the same value with its copy of the
user’s private key
– If the signatures match then user is authenticated
 Refrence
• www.ieee.org
• A Tutorial on Web Security for E-Commerce
from slide 1.
• E-Commerce: Security Challenges and
Solutions by Dr. Khalid Al-Tawil, King Fahd
University of Petroleum and Minerals