SSL

Sho
rt
for
Sec
ure SSL (Secure Sockets Layer):
Soc
kets The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
Lay the security of a message transmission on the Internet. SSL has recently been
er, succeeded by Transport Layer Security (TLS), which is based on SSL. SSL
a uses a program layer located between the Internet's Hypertext Transfer Protocol
prot (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part
Your browser
of both encrypts the
the Microsoft anddata and sends
Netscape to the receiving
browsers and mostWeb Website usingproducts.
server either 40-bit or
ocol 128-bit encryption. Your browser alone cannot secure the whole transaction and that's why
dev Developed
it's incumbentbyupon Netscape, SSL also
e-commerce gained the
site builders to dosupport of Microsoft and other
their part.
elop Internet client/server developers as well and became the de facto standard until
ed evolving
SSL into Transport Layer Security. The "sockets" part of the term refers to
Certificates
by thethe
At sockets
other endmethod
of theofequation,
passinganddataofback and importance
greatest forth between a client andsite
to e-commerce a server
builders, is
Net the
program in a network or between program layers in the same computer. SSL the
SSL certificate. The SSL certificate sits on a secure server and is used to encrypt
data
usesandthe to identify the Web site.
public-and-private keyThe SSL certificate
encryption system helps
from to RSA,
prove which
the sitealso
belongs to who
sca it says it belongs to and contains information about the certificate holder, the domain that
pe includes
the the use
certificate was of a digital
issued certificate.
to, the name of the Certificate Authority who issued the certificate,
for the root and the country it was issued in.
tran TLS and SSL are an integral part of most Web browsers (clients) and Web
smit SSL certificates
servers. If a Webcome
siteinis40-bit
on a and 128-bit
server thatvarieties,
supportsthough 40-bitcan
SSL, SSL encryption
be enabledhas and
been
hacked. As such, you definitely should be looking at getting a 128-bit certificate.
specific Web pages can be identified as requiring SSL access. Any Web server
ting
priv can be enabled
Though by using
there a wide varietyNetscape's SSLRef
of ways in which youprogram library which
could potentially acquirecan be
a 128-bit
ate downloaded for noncommercial use or licensed for commercial use.
certificate, there is one key element that is often overlooked in order for full two-way 128-bit
doc encryption to occur. According to SSL certificate vendor VeriSign, in order to have 128-bit
ume encryption
TLS and SSL you need a certificate
are not that has
interoperable. SGC (server
However, grade cryptography)
a message sent with TLS capabilities.
can be
nts handled by a client that handles SSL but not TLS.
via
• How to Get an SSL Certificate ... The Wrong Way
the Additional Note
There are twoon SSL: ways of getting an SSL certificate: you can either buy one
principal
Inte The e-commerce business
from a certificate vendoris all
or about
you can making money
"self-sign" andown
your thencertificate.
finding ways
Thattois,
make
usingmore
rnet money. anyOfnumber
course, ofit'sdifferent
hard to tools
make(both(more)openmoney,
source when
andconsumers
proprietary)don't
you feel
can safe
actually
. executing
signayour
transaction
own SSLoncertificate
your Weband site. That's
save thewhere SSLexpense
time and (SecureofSocket
going Layer)
throughcomes
a
into play. Understanding
certificate vendor. how SSL affects e-commerce business can also potentially help
SSL you to unlock (more) money from your customers.
wor Technically speaking, the data may be encrypted, but there still is a fundamental
ks What problem
is SSL? with self-signing that defeats part of the purpose of having an SSL
by Since certificate in theinfirst
its introduction place.
1994, SSLSelf-signing
has been the a certificate is like issuing
de facto standard yourself a driver's
for e-commerce
usin license.
transaction Roadsand
security, are it's
safer because
likely governments
to remain so well intoissue licenses. Making sure those
the future.
ga SSL isroads are safe
all about is the role
encryption. SSLofencrypts
the certificate authorities.
data, like Certificate
credit cards numbers authorities
(as well make
other
sure identifiable
personally the site is legitimate.
information), which prevents the "bad guys" from stealing your
priv information for malicious intent. You know that you're on an SSL protected page when the
ate addressSelf-Signed
begins with certificates
"https" and willthere
trigger
is aa padlock
warningiconwindow
at thein bottom
most browser configurations
of the page (and in the
key that will indicate that the certificate
case of Mozilla Firefox in the address bar as well). was not recognized. VeriSign admits that there
to are a lot of people that will click through anyway just like there are a lot of people
encr that will click through an expired SSL certificate as well.
ypt A site that conveys trust is also more likely to be a site that makes (more) money.
data There is research that suggests that having a recognizable SSL certificate may, in
that' fact, have a direct correlation to increased e-commerce sales. VeriSign, in
s particular, has done some research that shows that users who visit sites that have a
tran recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable
shopping on those sites and have fewer abandoned shopping carts and better
sfer repeat purchases.
red
over Choosing an SSL Certificate Vendor
the According to GeoTrust Lockhart there are several things that buyers should look for
SSL when purchasing a certificate:
con
nect
 • Reputation and credibility of the CA (How long have they been in business? Do they have
lots of customers?)
• Ubiquity of the root (is it embedded in all of the popular browsers?)
• Root is owned by the CA (and not chained to someone else's root)
• Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if
compromised, etc.)
• Ease of acquiring the certificate
• Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they
delegate this to their resellers?)

Conclusion
You are who you say you are. You have nothing to hide and you are running a legitimate e-
commerce business that you want consumers to trust and feel comfortable doing business with
The SSL certificate system exists to help promote the security and integrity of e-commerce for
everyone. In an era where phishing scams run rampant and trust is king, a proper SSL certificate
may well be your key to e-commerce success.

Encryption:

Encryption Encryption is the conversion of data into a form, called a ciphertext,

The that cannot be easily understood by unauthorized people. Decryption is
translation the process of converting encrypted data back into its original form, so
of data into it can be understood.
a secret
code. The use of encryption/decryption is as old as the art of
Encryption communication. In wartime, a cipher, often incorrectly called a code,
is the most can be employed to keep the enemy from obtaining the contents of
effective transmissions. (Technically, a code is a means of representing a signal
way to without the intent of keeping it secret; examples are Morse code and
achieve ASCII.) Simple ciphers include the substitution of letters for numbers,
data the rotation of letters in the alphabet, and the "scrambling" of voice
security. signals by inverting the sideband frequencies. More complex ciphers
work according to sophisticated computer algorithms that rearrange
the data bits in digital signals.

In order to easily recover the contents of an encrypted signal, the correct decryption key
is required. The key is an algorithm that undoes the work of the encryption algorithm.
Alternatively, a computer can be used in an attempt to break the cipher. The more
complex the encryption algorithm, the more difficult it becomes to eavesdrop on the
communications without access to the key.

Encryption/decryption is especially important in wireless communications. This is

because wireless circuits are easier to tap than their hard-wired counterparts.
Nevertheless, encryption/decryption is a good idea when carrying out any kind of
sensitive transaction, such as a credit-card purchase online, or the discussion of a
company secret between different departments in the organization. The stronger the
cipher -- that is, the harder it is for unauthorized people to break it -- the better, in
general. However, as the strength of encryption/decryption increases, so does the cost.

In recent years, a controversy has arisen over so-called strong encryption. This refers to
ciphers that are essentially unbreakable without the decryption keys. While most
companies and their customers view it as a means of keeping secrets and minimizing
fraud, some governments view strong encryption as a potential vehicle by which
terrorists might evade authorities. These governments, including that of the United States,
want to set up a key-escrow arrangement. This means everyone who uses a cipher would
be required to provide the government with a copy of the key. Decryption keys would be
stored in a supposedly secure place, used only by authorities, and used only if backed up
by a court order. Opponents of this scheme argue that criminals could hack into the key-
escrow database and illegally obtain, steal, or alter the keys. Supporters claim that while
this is a possibility, implementing the key escrow scheme would be better than doing
nothing to prevent criminals from freely using encryption/decryption.

Digital Signature:

A digital signature or digital signature scheme is a mathematical scheme for

demonstrating the authenticity of a digital message or document. A valid digital signature
gives a recipient reason to believe that the message was created by a known sender, and
that it was not altered in transit. Digital signatures are commonly used for software
distribution, financial transactions, and in other cases where it is important to detect
forgery and tampering.

Digital signatures are often used to implement electronic signatures, a broader term that
refers to any electronic data that carries the intent of a signature,[1] but not all electronic
signatures use digital signatures.[2][3][4] In some countries, including the United States,
India, and members of the European Union, electronic signatures have legal significance.
However, laws concerning electronic signatures do not always make clear whether they
are digital cryptographic signatures in the sense used here, leaving the legal definition,
and so their importance, somewhat confused.

Digital signatures employ a type of asymmetric cryptography. For messages sent through
an insecure channel, a properly implemented digital signature gives the receiver reason to
believe the message was sent by the claimed sender. Digital signatures are equivalent to
traditional handwritten signatures in many respects; properly implemented digital
signatures are more difficult to forge than the handwritten type. Digital signature schemes
in the sense used here are cryptographically based, and must be implemented properly to
be effective. Digital signatures can also provide non-repudiation, meaning that the signer
cannot successfully claim they did not sign a message, while also claiming their private
key remains secret; further, some non-repudiation schemes offer a time stamp for the
digital signature, so that even if the private key is exposed, the signature is valid
nonetheless. Digitally signed messages may be anything representable as a bitstring:
examples include electronic mail, contracts, or a message sent via some other
cryptographic protocol.

Following diagram showing how a simple digital signature is applied and then verified:

A digital signature scheme typically consists of three algorithms:

• A key generation algorithm that selects a private key uniformly at random from a
set of possible private keys. The algorithm outputs the private key and a
corresponding public key.
• A signing algorithm that, given a message and a private key, produces a signature.
• A signature verifying algorithm that, given a message, public key and a signature,
either accepts or rejects the message's claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and
fixed private key should verify the authenticity of that message by using the
corresponding public key. Secondly, it should be computationally infeasible to generate a
valid signature for a party who does not possess the private key.

Use of Digital Signature:

As organizations move away from paper documents with ink signatures or authenticity
stamps, digital signatures can provide added assurances of the evidence to provenance,
identity, and status of an electronic document as well as acknowledging informed consent
and approval by a signatory. The United States Government Printing Office (GPO)
publishes electronic versions of the budget, public and private laws, and congressional
bills with digital signatures. Universities including Penn State, University of Chicago,
and Stanford are publishing electronic student transcripts with digital signatures.

Below are some common reasons for applying a digital signature to communications:

1. Authentication
2. Integrity
3. Non-repudiation

Authentication

Although messages may often include information about the entity sending a message,
that information may not be accurate. Digital signatures can be used to authenticate the
source of messages. When ownership of a digital signature secret key is bound to a
specific user, a valid signature shows that the message was sent by that user. The
importance of high confidence in sender authenticity is especially obvious in a financial
context. For example, suppose a bank's branch office sends instructions to the central
office requesting a change in the balance of an account. If the central office is not
convinced that such a message is truly sent from an authorized source, acting on such a
request could be a grave mistake.

Integrity

In many scenarios, the sender and receiver of a message may have a need for confidence
that the message has not been altered during transmission. Although encryption hides the
contents of a message, it may be possible to change an encrypted message without
understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent
this, but others do not.) However, if a message is digitally signed, any change in the
message after signature will invalidate the signature. Furthermore, there is no efficient
way to modify a message and its signature to produce a new message with a valid
signature, because this is still considered to be computationally infeasible by most
cryptographic hash functions

Non-repudiation

Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of

digital signatures. By this property an entity that has signed some information cannot at a
later time deny having signed it. Similarly, access to the public key only does not enable
a fraudulent party to fake a valid signature. This is in contrast to symmetric systems,
where both sender and receiver share the same secret key, and thus in a dispute a third
party cannot determine which entity was the true source of the information.
Digital Certificate:

digital certificate An attachment to an electronic message used for security purposes. The
An attachment to most common use of a digital certificate is to verify that a user sending a
an electronic message is who he or she claims to be, and to provide the receiver with the
means to encode a reply.
message used for
security purposes.
An individual wishing to send an encrypted message applies for a digital
The most certificate from a Certificate Authority (CA). The CA issues an encrypted
common use of a digital certificate containing the applicant's public key and a variety of other
digital certificate is identification information. The CA makes its own public key readily
to verify that a available through print publicity or perhaps on the Internet.
user sending a
message is who The recipient of an encrypted message uses the CA's public key to decode
the digital certificate attached to the message, verifies it as issued by the CA
he or she claims and then obtains the sender's public key and identification information held
to be, and to within the certificate. With this information, the recipient can send an
provide the encrypted reply.
receiver with the
means to encode The most widely used standard for digital certificates is X.509.
a reply
Also see the additional note on SSL, which is provided above.

Server Security:

An organization’s servers provide a wide variety of services to internal and external users, and
many servers also store or process sensitive information for the organization. Some of the most
common types of servers are Web, email, database, infrastructure management, and file servers.
This publication addresses the general security issues of typical servers.

Servers are frequently targeted by attackers because of the value of their data and services. For
example, a server might contain personally identifiable information that could be used to perform
identity theft. The following are examples of common security threats to servers:

1 � Malicious entities may exploit software bugs in the server or its underlying operating
system to gain unauthorized access to the server.

2 �Denial of service (DoS) attacks may be directed to the server or its supporting network
infrastructure, denying or hindering valid users from making use of its services.

3 �Sensitive information on the server may be read by unauthorized individuals or changed

in an unauthorized manner.

4 �Sensitive information transmitted unencrypted or weakly encrypted between the server

and the client may be intercepted.

5 �Malicious entities may gain unauthorized access to resources elsewhere in the

organization’s network via a successful attack on the server.
6 �Malicious entities may attack other entities after compromising a server. These attacks
can be launched directly (e.g., from the compromised host against an external server) or
indirectly (e.g., placing malicious content on the compromised server that attempts to exploit
vulnerabilities in the clients of users accessing the server).

To secure Server, organizations in installing, configuring, and maintaining secure servers should
follow the following practices to apply:

1 �Securing, installing, and configuring the underlying operating system

2 �Securing, installing, and configuring server software

3 �Maintaining the secure configuration through application of appropriate patches and

upgrades, security testing, monitoring of logs, and backups of data and operating system files.

The following key guidelines are recommended to Federal departments and agencies for
maintaining a secure server.

Organizations should carefully plan and address the security aspects of the deployment of a
server.

Because it is much more difficult to address security once deployment and implementation have
occurred, security should be carefully considered from the initial planning stage. Organizations
are more likely to make decisions about configuring computers appropriately and consistently
when they develop and use a detailed, well-designed deployment plan. Developing such a plan
will support server administrators in making the inevitable tradeoff decisions between usability,
performance, and risk.

Organizations often fail to consider the human resource requirements for both deployment and
operational phases of the server and supporting infrastructure. Organizations should address the
following points in a deployment plan:

1 �Types of personnel required (e.g., system and server administrators, network

administrators, information systems security officers [ISSO])

2 �Skills and training required by assigned personnel

3 �Individual (i.e., level of effort required of specific personnel types) and collective staffing
(i.e., overall level of effort) requirements.

Organizations should implement appropriate security management practices and controls

when maintaining and operating a secure server.

Appropriate management practices are essential to operating and maintaining a secure server.
Security practices entail the identification of an organization’s information system assets and the
development, documentation, and implementation of policies, standards, procedures, and
guidelines that help to ensure the confidentiality, integrity, and availability of information system
resources. To ensure the security of a server and the supporting network infrastructure, the
following practices should be implemented:

1 �Organization-wide information system security policy

2 �Configuration/change control and management

3 �Risk assessment and management

4 �Standardized software configurations that satisfy the information system security policy

5 �Security awareness and training

6 �Contingency planning, continuity of operations, and disaster recovery planning

7 �Certification and accreditation.

Organizations should ensure that the server operating system is deployed, configured, and
managed to meet the security requirements of the organization.

The first step in securing a server is securing the underlying operating system. Most commonly
available servers operate on a general-purpose operating system. Many security issues can be
avoided if the operating systems underlying servers are configured appropriately. Default
hardware and software configurations are typically set by manufacturers to emphasize features,
functions, and ease of use, at the expense of security. Because manufacturers are not aware of
each organization’s security needs, each server administrator must configure new servers to
reflect their organization’s security requirements and reconfigure them as those requirements
change. Using security configuration guides or checklists can assist administrators in securing
servers consistently and efficiently. Securing an operating system initially would generally
include the following steps:

1 �Patch and upgrade the operating system

2 �Remove or disable unnecessary services, applications, and network protocols

3 �Configure operating system user authentication

4 �Configure resource controls

5 �Install and configure additional security controls, if needed

6 �Perform security testing of the operating system.

Organizations should ensure that the server application is deployed, configured, and
managed to meet the security requirements of the organization.

In many respects, the secure installation and configuration of the server application will mirror
the operating system process discussed above. The overarching principle is to install the minimal
amount of services required and eliminate any known vulnerabilities through patches or upgrades.
If the installation program installs any unnecessary applications, services, or scripts, they should
be removed immediately after the installation process concludes. Securing the server application
would generally include the following steps:

1 �Patch and upgrade the server application

2 �Remove or disable unnecessary services, applications, and sample content

3 �Configure server user authentication and access controls

4 �Configure server resource controls

5 �Test the security of the server application (and server content, if applicable).

Many servers also use authentication and encryption technologies to restrict who can access the
server and to protect information transmitted between the server and its clients. Organizations
should periodically examine the services and information accessible on the server and determine
the necessary security requirements. Organizations should also be prepared to migrate their
servers to stronger cryptographic technologies as weaknesses are identified in the servers’
existing cryptographic technologies. For example, NIST has recommended that use of the Secure
Hash Algorithm 1 (SHA-1) be phased out by 2010 in favor of SHA-224, SHA-256, and other
larger, stronger hash functions. Organizations should stay aware of cryptographic requirements
and plan to update their servers accordingly.

Organizations should commit to the ongoing process of maintaining the security of servers
to ensure continued security.

Maintaining a secure server requires constant effort, resources, and vigilance from an
organization. Securely administering a server on a daily basis is an essential aspect of server
security. Maintaining the security of a server will usually involve the following actions:

1 �Configuring, protecting, and analyzing log files on an ongoing and frequent basis

2 �Backing up critical information frequently

3 �Establishing and following procedures for recovering from compromise

4 �Testing and applying patches in a timely manner

5 �Testing security periodically.

Firewall:
Def. yet has to include.

Password:
A password is a secret word or string of characters that is used for authentication, to
prove identity or gain access to a resource (example: an access code is a type of
password). The password should be kept secret from those not allowed access.

The use of passwords is known to be ancient. Sentries would challenge those wishing to
enter an area or approaching it to supply a password or watchword. Sentries would only
allow a person or group to pass if they knew the password. In modern times, user names
and passwords are commonly used by people during a log in process that controls access
to protected computer operating systems, mobile phones, cable TV decoders, automated
teller machines (ATMs), etc. A typical computer user may require passwords for many
purposes: logging in to computer accounts, retrieving e-mail from servers, accessing
programs, databases, networks, web sites, and even reading the morning newspaper
online.

Despite the name, there is no need for passwords to be actual words; indeed passwords
which are not actual words may be harder to guess, a desirable property. Some passwords
are formed from multiple words and may more accurately be called a passphrase. The
term passcode is sometimes used when the secret information is purely numeric, such as
the personal identification number (PIN) commonly used for ATM access. Passwords are
generally short enough to be easily memorized and typed.

For the purposes of more compellingly authenticating the identity of one computing
device to another, passwords have significant disadvantages (they may be stolen,
spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols,
which are more difficult to circumvent.

Factors in the security of a password system

The security of a password-protected system depends on several factors. The overall

system must, of course, be designed for sound security, with protection against computer
viruses, man-in-the-middle attacks and the like. Physical security issues are also a
concern, from deterring shoulder surfing to more sophisticated physical threats such as
video cameras and keyboard sniffers. And, of course, passwords should be chosen so that
they are hard for an attacker to guess and hard for an attacker to discover using any (and
all) of the available automatic attack schemes. See password strength, computer security,
and computer insecurity.

Nowadays it is a common practice for computer systems to hide passwords as they are
typed. The purpose of this measure is to avoid bystanders reading the password.
However, some argue that such practice may lead to mistakes and stress, encouraging
users to choose weak passwords. As an alternative, users should have the option to show
or hide passwords as they type them.[4]

Effective access control provisions may force extreme measures on criminals seeking to
acquire a password or biometric token.[5] Less extreme measures include extortion, rubber
hose cryptanalysis, and side channel attack.
Here are some specific password management issues that must be considered in thinking
about, choosing, and handling, a password.

Rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor
in determining system security. Some systems impose a time-out of several seconds after
a small number (e.g., three) of failed password entry attempts. In the absence of other
vulnerabilities, such systems can be effectively secure with relatively simple passwords,
if they have been well chosen and are not easily guessed.[6]

Many systems store or transmit a cryptographic hash of the password in a manner that
makes the hash value accessible to an attacker. When this is done, and it is very common,
an attacker can work off-line, rapidly testing candidate passwords against the true
password's hash value. Passwords that are used to generate cryptographic keys (e.g., for
disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of
common passwords are widely available and can make password attacks very efficient.
(See Password cracking.) Security in such situations depends on using passwords or
passphrases of adequate complexity, making such an attack computationally infeasible
for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-
intensive hash to the password to slow such attacks. See key strengthening.

Form of stored passwords

Some computer systems store user passwords as cleartext, against which to compare user
log on attempts. If an attacker gains access to such an internal password store, all
passwords—and so all user accounts—will be compromised. If some users employ the
same password for accounts on different systems, those will be compromised as well.

More secure systems store each password in a cryptographically protected form, so

access to the actual password will still be difficult for a snooper who gains internal access
to the system, while validation of user access attempts remains possible.

A common approach stores only a "hashed" form of the plaintext password. When a user
types in a password on such a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value generated from the user's entry
matches the hash stored in the password database, the user is permitted access. The hash
value is created by applying a hash function (for maximum resistance to attack this
should be a cryptographic hash function) to a string consisting of the submitted password
and, usually, another value known as a salt. The salt prevents attackers from easily
building a list of hash values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.

A modified version of the DES algorithm was used for this purpose in early Unix
systems. The UNIX DES function was iterated to make the hash function equivalent
slow, further frustrating automated guessing attacks, and used the password candidate as
a key to encrypt a fixed value, thus blocking yet another attack on the password
shrouding system. More recent Unix or Unix like systems (e.g., Linux or the various BSD
systems) use what most believe to be still more effective protective mechanisms based on
MD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent or
frustrate attacks on stored password files.[7]

If the hash function is well designed, it will be computationally infeasible to reverse it to

directly find a plaintext password. However, many systems do not protect their hashed
passwords adequately, and if an attacker can gain access to the hashed values he can use
widely available tools which compare the encrypted outcome of every word from some
list, such as a dictionary (many are available on the Internet). Large lists of possible
passwords in many languages are widely available on the Internet, as are software
programs to try common variations. The existence of these dictionary attack tools
constrains user password choices which are intended to resist easy attacks; they must not
be findable on such lists. Obviously, words on such lists should be avoided as passwords.
Use of a key stretching hash such as PBKDF2 is designed to reduce this risk.

A poorly designed hash function can make attacks feasible even if a strong password is
chosen. See LM hash for a widely deployed, and insecure, example.[8]

Methods of verifying a password over a network

Various methods have been used to verify submitted passwords in a network setting:

Simple transmission of the password

Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the
authenticating machine or person. If the password is carried as electrical signals on
unsecured physical wiring between the user access point and the central system
controlling the password database, it is subject to snooping by wiretapping methods. If it
is carried as packetized data over the Internet, anyone able to watch the packets
containing the logon information can snoop with a very low probability of detection.

Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it
is available without effort during transport to any eavesdropper. Further, the email will be
stored on at least two computers as cleartext—the sender's and the recipient's. If it passes
through intermediate systems during its travels, it will probably be stored on those as
well, at least for some time. Attempts to delete an email from all these vulnerabilities
may, or may not, succeed; backups or history files or caches on any of several systems
may still contain the email. Indeed merely identifying every one of those systems may be
difficult. Emailed passwords are generally an insecure method of distribution.

An example of cleartext transmission of passwords is the original Wikipedia website.

When you logged into your Wikipedia account, your username and password are sent
from your computer's browser through the Internet as cleartext. In principle, anyone
could read them in transit and thereafter log into your account as you; Wikipedia's servers
have no way of distinguishing such an attacker from you. In practice, an unknowably
larger number could do so as well (e.g., employees at your Internet Service Provider, at
any of the systems through which the traffic passes, etc.). More recently, Wikipedia has
offered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS)
cryptographically based protocol to eliminate the cleartext transmission. But, because
anyone can gain access to Wikipedia (without logging in at all), and then edit essentially
all articles, it can be argued that there is little need to encrypt these transmissions as
there's little being protected. Other websites (e.g., banks and financial institutions) have
quite different security requirements, and cleartext transmission of anything is clearly
insecure in those contexts.

Using client-side encryption will only protect transmission from the mail handling system
server to the client machine. Previous or subsequent relays of the email will not be
protected and the email will probably be stored on multiple computers, certainly on the
originating and receiving computers, most often in cleartext.

Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced by, among
other approaches, using cryptographic protection. The most widely used is the Transport
Layer Security (TLS, previously called SSL) feature built into most current Internet
browsers. Most browsers alert the user of a TLS/SSL protected exchange with a server by
displaying a closed lock icon, or some other sign, when TLS is in use. There are several
other techniques in use; see cryptography.

Hash-based challenge-response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-based

challenge-response authentication; the latter requires a client to prove to a server that he
knows what the shared secret (i.e., password) is, and to do this, the server must be able to
obtain the shared secret from its stored form. On many systems (including Unix-type
systems) doing remote authentication, the shared secret usually becomes the hashed form
and has the serious limitation of exposing passwords to offline guessing attacks. In
addition, when the hash is used as a shared secret, an attacker does not need the original
password to authenticate remotely; he only needs the hash.

Zero-knowledge password proofs

Rather than transmitting a password, or transmitting the hash of the password, password-
authenticated key agreement systems can perform a zero-knowledge password proof,
which proves knowledge of the password without exposing it.

Moving a step further, augmented systems for password-authenticated key agreement

(e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-
based methods. An augmented system allows a client to prove knowledge of the
password to a server, where the server knows only a (not exactly) hashed password, and
where the unhashed password is required to gain access.

Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a user
believes the current password has been (or might have been) compromised, or as a
precautionary measure. If a new password is passed to the system in unencrypted form,
security can be lost (e.g., via wiretapping) even before the new password can even be
installed in the password database. And, of course, if the new password is given to a
compromised employee, little is gained. Some web sites include the user-selected
password in an unencrypted confirmation e-mail message, with the obvious increased
vulnerability.

Identity management systems are increasingly used to automate issuance of replacements

for lost passwords, a feature called self service password reset. The user's identity is
verified by asking questions and comparing the answers to ones previously stored (i.e.,
when the account was opened). Typical questions include: "Where were you born?,"
"What is your favorite movie?" or "What is the name of your pet?" In many cases the
answers to these questions can be relatively easily guessed by an attacker, determined by
low effort research, or obtained through social engineering, and so this is less than fully
satisfactory as a verification technique. While many users have been trained never to
reveal a password, few consider the name of their pet or favorite movie to require similar
care.

Password longevity

"Password aging" is a feature of some operating systems which forces users to change
passwords frequently (e.g., quarterly, monthly or even more often), with the intent that a
stolen password will become unusable more or less quickly. Such policies usually
provoke user protest and foot-dragging at best and hostility at worst. Users may develop
simple variation patterns to keep their passwords memorable. In any case, the security
benefits are distinctly limited, if worthwhile, because attackers often exploit a password
as soon as it is compromised, which will probably be some time before change is
required. In many cases, particularly with administrative or "root" accounts, once an
attacker has gained access, he can make alterations to the operating system that will allow
him future access even after the initial password he used expires. (see rootkit).
Implementing such a policy requires careful consideration of the relevant human factors.
It may be required because of the nature of IT systems the password allows access to, if
personal data is involved the EU Data Protection Directive is in force.

Number of users per password

Sometimes a single password controls access to a device, for example, for a network
router, or password-protected mobile phone. However, in the case of a computer system,
a password is usually stored for each user account, thus making all access traceable (save,
of course, in the case of users sharing passwords). A would-be user on most systems must
supply a username as well as a password, almost always at account set up time, and
periodically thereafter. If the user supplies a password matching the one stored for the
supplied username, he or she is permitted further access into the computer system. This is
also the case for a cash machine, except that the 'user name' is typically the account
number stored on the bank customer's card, and the PIN is usually quite short (4 to 6
digits).

Allotting separate passwords to each user of a system is preferable to having a single

password shared by legitimate users of the system, certainly from a security viewpoint.
This is partly because users are more willing to tell another person (who may not be
authorized) a shared password than one exclusively for their use. Single passwords are
also much less convenient to change because many people need to be told at the same
time, and they make removal of a particular user's access more difficult, as for instance
on graduation or resignation. Per-user passwords are also essential if users are to be held
accountable for their activities, such as making financial transactions or viewing medical
records.

Biometrics:

Biometrics comprises methods for uniquely recognizing humans based upon one or more
intrinsic physical or behavioral traits. In computer science, in particular, biometrics is
used as a form of identity access management and access control. It is also used to
identify individuals in groups that are under surveillance.

Biometric characteristics can be divided in two main classes[citation needed]:

• Physiological are related to the shape of the body. Examples include, but are not
limited to fingerprint, face recognition, DNA, Palm print, hand geometry, iris
recognition, which has largely replaced retina, and odour/scent.
• Behavioral are related to the behavior of a person. Examples include, but are not
limited to typing rhythm, gait, and voice. Some researchers[1] have coined the term
behaviometrics for this class of biometrics.

Strictly speaking, voice is also a physiological trait because every person has a different
vocal tract, but voice recognition is mainly based on the study of the way a person
speaks, commonly classified as behavioral.

It is possible to understand if a human characteristic can be used for biometrics in terms

of the following parameters:[2]

• Universality – each person should have the characteristic.

• Uniqueness – is how well the biometric separates individuals from another.
 • Permanence – measures how well a biometric resists aging and other variance
over time.
• Collectability – ease of acquisition for measurement.
• Performance – accuracy, speed, and robustness of technology used.
• Acceptability – degree of approval of a technology.
• Circumvention – ease of use of a substitute.

A biometric system can operate in the following two modes

• Verification – A one to one comparison of a captured biometric with a stored

template to verify that the individual is who he claims to be. Can be done in
conjunction with a smart card, username or ID number.
• Identification – A one to many comparison of the captured biometric against a
biometric database in attempt to identify an unknown individual. The
identification only succeeds in identifying the individual if the comparison of the
biometric sample to a template in the database falls within a previously set
threshold.

The first time an individual uses a biometric system is called an enrollment. During the
enrollment, biometric information from an individual is stored. In subsequent uses,
biometric information is detected and compared with the information stored at the time of
enrollment. Note that it is crucial that storage and retrieval of such systems themselves be
secure if the biometric system is to be robust. The first block (sensor) is the interface
between the real world and the system; it has to acquire all the necessary data. Most of
the times it is an image acquisition system, but it can change according to the
characteristics desired. The second block performs all the necessary pre-processing: it has
to remove artifacts from the sensor, to enhance the input (e.g. removing background
noise), to use some kind of normalization, etc. In the third block necessary features are
extracted. This step is an important step as the correct features need to be extracted in the
optimal way. A vector of numbers or an image with particular properties is used to create
a template. A template is a synthesis of the relevant characteristics extracted from the
source. Elements of the biometric measurement that are not used in the comparison
algorithm are discarded in the template to reduce the filesize and to protect the identity of
the enrollee

If enrollment is being performed, the template is simply stored somewhere (on a card or
within a database or both). If a matching phase is being performed, the obtained template
is passed to a matcher that compares it with other existing templates, estimating the
distance between them using any algorithm (e.g. Hamming distance). The matching
program will analyze the template with the input. This will then be output for any
specified use or purpose (e.g. entrance in a restricted area).

Payment Security:

Summary
Protect card details over the Internet, and make your customers feel secure.
Although it is perceived otherwise, transactions over the Internet are in fact safer
than offline transactions.
Three commonly used security measures are SSL, SET and PKI technology.

Protecting card details is the primary security risk with electronic

transactions. Customers are very comfortable using cards in shops and
over the phone despite the ever-present risk of details being copied or
stolen. With payments over the Internet, there is more resistance
towards disclosing card information.

While it is generally perceived that conducting credit/debit card

transactions over the Internet is prone to insecurity and fraud, offline
transactions like landline based telephone calls, can be less secure.
According to Forrester research, for every £1000 of transactions a
company could lose £1 over the Internet compared to £25 offline as a
result of fraud.

Perception can get in the way of fact. Both software and hardware
companies have invested a great deal to further protect online data
and build up customer confidence. Be aware of the security issue and
help customers to feel at ease by telling them about the precautions
you have taken. In the current Internet climate it is vitally important
that you are not only secure but are seen to be secure.

Three of the best known options for the encryption and security of
personal and card details are explained below. Almost every payment
solution mentioned in this online payments tool includes this
technology as standard. Online retailers will not need extra security
measures if they use these market-tested and well-established
products.

Secure Socket Layer (SSL)

SSL allows traffic to be scrambled (or encrypted). The standard SSL

developed by Netscape provides a high level of protection. The US
government views encryption technology as munitions, so the only
version of SSL available worldwide is the relatively weak 40-bit
version. However, this version can protect against any casual attempt
to decipher card details, as it takes over an hour to crack one
message.

Browsers that support this feature a dialogue box, a padlock in the

bottom task bar, or a blue key (like Netscape Navigator) to indicate
that a secure session is in progress.
Secure Electronic Transaction (SET)

SET encrypts payment card transaction data and verifies that both
parties in the transaction are genuine. SET, originally developed by
Mastercard and Visa in collaboration with leading technology providers,
has a large corporate backing and is perceived to be more secure as a
result of its validation from card companies.

Public Key Software Infrastructure (PKI)

PKI is similar to a bank’s night safe in that many public keys can be
used to deposit items into the safe, but only one private key,
belonging to the bank can make withdrawals.

With these systems in place you will be able to demonstrate your

concern for customer security.

ABCpayments.com is the most secured and trusted payment gateway

in India that allows you to accept online bank transfers, credit cards
and prepaid cash card payments from your customers. Some of our
services include free shopping cart, invoice management and we
provide total end to end e-commerce solution.

Why ABC Payments:

Internet Banking Excel Credit Cards in India

The financial transactions from online banking in India is expected to
outpace credit card transactions in the forthcoming years.
ABCpayments offers your customers the benefit to transact through
all major banks in India by bringing them on one common platform
that offers one point contact for all banking transactions.
1. All Cash Card companies integrated
2. Provides highest level of security
3. Multi currency support
4. Technical support

Safety Knowhow

Always use a payment gateway that provides merchants with fast,

reliable and secure passage for transaction data via a 128-bit Secure
Sockets Layer (SSL) Internet Protocol (IP) connection, and effectively
manage the complex routing of payment information to the
appropriate credit card processors.
Online payment risk assessment:
Summary:
How exposed are you to risk?
Your exposure to risk depends on charge-backs, forecast turnover, average
transaction size, time from payment to order fulfillment, the length of your trading
record, your business sector classification and how many safeguards you have in
place.
You will need to pay for a bond ie an insurance to cover this risk. This could cost
between £300-2000.

Exposure is the acquiring banks estimate of the total risk you are
exposed to at any one time, for instance, the number of sales open to
refund over a given period. The bond is an amount of money,
overdraft facility or insurance to cover any exposure. Your exposure
level will also affect the charge bands offered to your business, i.e.
monthly charges and transaction charges.

Acquiring banks calculate the exposure whether the Merchant Service

provided is online or offline. The exposure level is calculated by
examining the following elements of risk:

• Charge-backs – the risk of refunds on your merchant account;

• Forecast turnover figures – higher turnover can generate higher exposure;
• Average transaction size – if you sell very high value items (diamonds, cars)
this will influence the risk analysis of your business;
• Time from payment to order fulfillment – The longer it takes to dispatch
goods to a customer, the greater the risk of an order cancellation;
• Length of trading record – a start-up company presents more risk than a well
established business;
• Business sector classification – different sectors have more or less risk
associated with them (CDs can be resold but a flight needs the purchaser to
turn up in person). Some banks have over 700 different business sector
classifications.
• Safeguards you have in place – security checks like verifying address details
or phoning customers who place large or repeated orders will reduce the
perceived risk.

The bond that may be introduced to underwrite the exposure level can
range from £300-£2000 (maybe even £0) for an average SME bond.
Often the bond can be covered by a small increase to your overdraft
facility and even some specialist insurance.

The level of bond required from your company depends on the factors
above. For instance a travel company where products are often
purchased months prior to the fulfillment of the transaction have a
much higher exposure to charge-back than a product where fulfillment
is immediate, or even prior to payment, for example a restaurant
business, which will rarely have to lodge a bond.

The element of exposure will be an important factor for the retailer to

consider when deciding which payment method to employ. The
acquiring bank may require a bond to be lodged with them to cover
the worst possible scenario of charge-backs or fraud.

Be aware of this area of merchant services and negotiate with your

bank to establish a reasonable level of risk or look at bureaus and
alternative solutions to remove this cost from your payment solution.

Electronic Payment Application:

Summary:
If you want to use Electronic payments you will need to undergo an application
process.
Think about your average transaction value, transaction frequency, perceived
security risk, exposure level, forecast turnover, online turnover, trading history and
time from payment to order fulfillment.
The diagnostic tool will help you.

Electronic payments are a financial process and your application will be

checked thoroughly by the solution provider. The banks use the most
rigid application procedures but other service providers will ask
questions about your business to determine the price and products
that suit you. Please register for free to use the e-payments
comparison tool. This will give you a good starting point and allow you
to shortlist potential solution providers for a detailed discussion. We
would also recommend you look at the product information datasheets
which are accessible from the tool as all the contact or online
application forms are linked from these pages.

Prepared data means a faster application process. Here is a list of

criteria to consider:

• Average transaction value: this is the normal size of transactions that go

through your electronic payment system. There is a big difference between
a ?0.50 sale and a ?2,500.00 sale, especially if your solution provider charges
a commission based on a percentage of the transaction!
• Transaction frequency: This determines what solution is best for the volume
of transactions carried out; 100 x ?10.00 transactions per month are very
different from 10,000 x ?30.00 transactions per month.
• Perceived security risk: Most providers (especially banks) will place your
business into a security classification when assessing your application. Easy to
resell items like CDs and footballs then might fall into a lower risk category
 than a business selling, say, holidays where the customer has to turn up to
take the holiday.
• Exposure level: This reflects the perceived risk of refunds and fraud in your
business; see the next few pages.
• Forecast turnover figures: This is an indication of your financial viability.
• Online turnover: Simply how much do you plan to make online!
• Trading history: This will affect the trust the provider places in your business;
if you are a newly started business you might find it harder to get some
products but the diagnostic tool will help you identify the alternatives.
• Time from payment to order fulfillment: This is the period of time a customer
has to become dissatisfied.

These main points to consider are examined in the following pages.

The diagnostic tool also provides links and phone numbers for all the
main UK electronic payment solution providers so you can progress
your application.

Payment Methods
Payment transfers may be completed by a variety of means. All of these payments are
applicable to mainstream national currencies, but many of them also apply to the various
local or community currencies (e.g. LETS, Ithaca HOURS, Time Dollars) as well.

We have classified the different payment mechanisms in five categories as follows:

1. ATM-model transactions, involving only a financial institution and an
accountholder who either deposits or withdraws money from his/her account;
2. Unmediated Two-Party Payments: when the buyer and seller are the only two
parties involved in the transaction--for instance, cash payments in national
currency or Ithaca HOURS;
3. Mediated Three-Party Transactions: payments with credit or debit cards or with
cheques fall in this category, as do most LETS and Time Dollar transactions;
4. Micropayments: until now only applicable in new forms of electronic payments
where the service or information is metered out and charged on very small
increments, e.g. traditional telephone charges, new automatic toll charges, and
other digital cash applications; and
5. Anonymous digital cash: electronic encrypted currency, pioneered by David
Chaum's Digicash , which ensures that--as with paper currency and coins--the
privacy of the cash user remains protected.
Take a look at our payment method directories, each of which contains a brief (and
impartial) description of all the possible variations on that particular method. And be sure
to tell us if we missed one.

ATM / Farecard Two-Party Payment Methods

• NetFare is a farecard for making incremental payments for online

purchases of information.
• Mondex on the Internet aims to enable home downloading of debit cash
cards, online micropayments, and more.
• The Transactor MK2 provides an easy and convenient method of
transferring value or information from one smart card to another, and
will be used to enable community currency smartcards for use with
LETS and other complementary currency systems.
• Some companies list an 800 number on their web page for orders.
Unfortunately, some imply that transactions over the internet aren't as
safe as other transactions.
• Ziplock will allow online vendors to provide customers key codes to
their products only after payment has been verified.
• I-Escrow will verify and set aside payment for online purchases until the
buyer has received and approved the merchandise.
• The Netcard project has gathered lots of information about ATMs and
high speed networks, smartcards, and ATM security.
• purchased Digicash in August, 1999, and now offers secure and
anonymous cash-like electronic payments.
• Atalla, recently purchased by Compaq, offers a variety of security
hardware products, including smartcard systems.

Unmediated Two-Party Payment Methods

• Plenty of barter and service exchange networks are thriving on and off
the net. To name a few:
o The International Reciprocal Trade Association aims to "advance
the barter industry worldwide and raise barter's value to the
business community and economy".
o Habitat For Humanity helps low-income families trade their
"sweat equity" for affordable housing.
o The Global Village Bank facilitates the exchange of computer-
and Internet-related services.
o The Global Resource Bank attempts to preserve shareholders'
"natural capital".
• Some companies list an 800 number on their web page for orders.
Unfortunately, some imply that transactions over the internet aren't as
safe as other transactions.
 Mediated Three-Party Payment Methods

• Let it is a model for community-building mutual credit systems. The

LETSystems Home Page provides information on British applications of
LETS, and the econ-lets mailing list site includes list archives. The latest
word on multi-LETS can be found at LETSgo. We also maintain a
directory of LETS resources to visit.
• What are Time Dollars? The Time Dollar model was designed to keep
track of--and thus encourage--community service and volunteer work,
and has been successfully adapted for use in many communities. See The
Time Dollar Institute page for more information.
• Step into the lobby of Security First Network Bank, an internet savings
bank.
• If, for whatever reason, you can't conduct secure transactions online, you
can always use toll-free or metered telephone calls to transfer or verify
payments. For example, the Secure800 system generates a transaction
number online but payment is transferred over the telephone.

Credit Card-Related Online Payments

• Some new (Fall 1999) free email-based payment systems, including

PayPal/X.com and Flooz, bill the sender's credit card or bank account, or
deduct the payment from an account prepaid by check or money order.
PayPal recipients may receive payment by check, or have it directly
deposited to a bank account; Flooz recipients may use their payments at
certain online merchants.
• 1ClickCharge consumers download a "super-thin client" (wallet) and
prepay for a block of micropurchases by credit card.
• Other micropayment enterprises relying on third parties include
o Trintech's NetWallet and ezCard aim to "provide consumers with
simple and secure eCommerce payment instruments".
o Trivnet's WISP merchant server bills micropayments to the
consumer's ISP account.
o iPIN also bills digital content purchases to the buyer's ISP
account.
o QPass is another wallet-based system that bills the buyer's credit
card for aggregated purchases.
o If you're running a cyber cash server, people can download a
Cybercash wallet, and then send their credit card number
encrypted safely over the internet. They also have a new
 micropayment system, Cybercoin which we'll talk about in the
micropayment section.
o IBM now offers a micropayment wallets and servers.
• Netscape offers a wide range of secure server products. Considering that
they're the most predominant browser cruising the net, and that there's
already seamless integration, this is an obvious, compelling solution, and
helps enable a lot of other solutions.
• Cybersource
--led by the folks who brought you software.net--offers real-time credit
card processing.
• Open Market provides secure servers and other transaction software.
• software (currently available only for PCs) will process transactions via
credit card or ATM/debit card.
• Outreach allows merchants to process credit card transactions online in
real time.
• Ziplock will allow online vendors to provide customers key codes to
their products only after credit card payment has been verified.
• The AuricWeb system allows ISPs to log online transactions just like
other accountholder statistics.
• CyBank adapts telephone billing models--prepaid cards and metered
charges--to Internet purchases.
• SecureProcess handles real-time Electronic Funds Transfers, ACH
transactions, and credit card payments online.
• Sales Associate will host and manage your "virtual storefront" for you.
• eVend helps you handle your online credit-card authentication.
• develops and markets real-time credit card payment servers.
• The SET specification for encrypted electronic transaction data,
developed by VISA and Mastercard using the encryption methods
pioneered by RSA, is now being applied in Korea, Singapore, Taiwan,
Japan, and elsewhere. Before you study the massive official
documentation, read one Wired author's skeptical report, "Is the Web set
for SET? How to tell a proposed networking standard will be D.O.A.".

Check-Based Online Payments

• CheckFree has been creating electronic payment systems since 1981, and
has a checkless payment system which you can use from a PC.
• Verifone is another company that has been making electronic payment
systems for many years. They now have an internet system for
consumers, retailers and financial institutions.
• Likewise, the FSTC Electronic Check Project tries to extend checking as
we know it into the web.
• Look into the encryption methods pioneered by Brands's Cash
• Electronic Funds Clearinghouse, Inc. attempts to extend Electronic
Funds Transfer technology (which they helped develop) to online
business.
• "Check" out some big-name efforts, like Secure Electronic Transaction
(SET) from Visa/Mastercard, iKP: A Family of Secure Payment
Protocols from IBM, and what Sun Internet Commerce Group has been
working on.
• NetCheque provides an accounting server to process checks tendered
online.
• NetChex and Online Check Systems have developed online check
registries and verification services.
• Redi-Check allows users to draft pre-authorized checks online.
• PaymentNet handles online credit and debit card transactions.
• TipJar is another mediated payment system.

Micropayment Methods

• Some new (Fall 1999) free email-based payment systems, including

PayPal/X.com and Flooz, bill the sender's credit card or bank account, or
deduct the payment from an account prepaid by check or money order.
PayPal recipients may receive payment by check, or have it directly
deposited to a bank account; Flooz recipients may use their payments at
certain online merchants.
• 1ClickCharge consumers download a "super-thin client" (wallet) and
prepay for a block of micropurchases by credit card. On December 1,
1999, 1ClickCharge announced intentions to release "post-delivery
content management" methods in the 2nd quarter of 2000.
• QPass is another wallet-based system that bills the buyer's credit card for
aggregated purchases, relieving merchants of some of the per-transaction
burden of other credit-based online micropayment systems. The New
York Times Neediest Cases Fund used QPass in November, 1999, to
receive online donations.
• Trintech, a Dublin- and Silicon Valley-based company, offers NetWallet
and ezCard, which aim to "provide consumers with simple and secure
eCommerce payment instruments".
• Trivnet's WiSP merchant server, which does not require buyers to
download a wallet, bills micropayments to the consumer's ISP account.
• iPIN also bills digital content purchases to the buyer's ISP account. In
September, 1999, entered into agreements with several digital music
companies to handle web-based payments for their online musical
content.
• As of May, 1999, Cybercoin, the micropayment system developed by
Cybercash, will no longer be available. Through partnerships with ISPs
like Concentric Networks, Cybercash may be able to offer other e-
commerce packages that will include micropayments.
• Millicent, a micropayment system implemented by Digital Equipment
Corp, now owned by Compaq, went live in June 1999 in Japan, with
wallets starting at 1000 yen and payments as small as 5 yen
(approximately $0.04 at launch time).
• Clickshare is a micropayment system run by some east coast local
publishers. They're currently looking for a CEO, but have a pretty neat
system. You need a $1,995 server for each accepter of the micromoney.
• Digicash, one of the most promising e-cash companies, filed Chapter 11
in November 1998, and was then acquired by eCash Technologies Inc. in
August of 1999.
• The Micro Payment Transfer Protocol (MPTP) (1995) has been followed
by papers on Common Markup for Web Micropayment Systems (March
15, 1999)
• Intertrust was working on an encrypted envelope payment method, but
they appear to have moved on to general e-commerce security solutions,
such as the "Secure Digital Music Initiative" on behalf of the recording
industry.
• Carnegie Mellon's NetBill, which Visa was supposedly going to employ,
has been adopted by CyberCash and is currently in Alpha testing.
• The postscript paper PayWord and MicroMint lays out two simple
Micropayment systems designed by Ronald L. Rivest and Adi Samir.
• IdeaMarket was an attempt to allow visitors to search a database of
content and charge items to their credit card account. The company
aspires to become "the World-Wide Marketplace for Intellectual
Property", as soon as it launches.
• IBM now offers a micropayment wallets and servers.
• Netrights was working on Attribute, a software product designed to
identify intellectual property rights on digital media, thus enhancing the
attribution of IP rights, and making it 'effortless' to use those rights.
Their website is currently being reorganized, but new developments may
pop up.
 • e-gold for a modest fee, stores the entire 'e-metals' (gold, silver,
platinum, and palladium) account you purchase and allows you to
conduct electronic transactions of all sizes with other account holders.
• The AuricWeb system allows ISPs to document online transactions
along with other user statistics.
• CyBank adapts telephone billing models--prepaid cards and metered
charges--to Internet purchases.

Anonymous Cash Payment Methods

These types of systems are more difficult to implement than most

of the others.

• Digicash, developed by Dr. David Chaum, was supposedly a candidate

to become the most prominent force in the electronic cash battle. After
the company went bankrupt in late 1998, its properties were acquired by
e-cash technology Inc. in 1999.

Because it's anonymous except if there are problems, economic forces

may tend to favor a currency like this over some of the others. eCash
uses national currency as a unit of account. EUNET was offering ecash
accounts in Finnish Marks, and you can browse through a list of banks
issuing eCash in Australia, Austria, Germany, and Switzerland.

• The NetCheque network payment system is an electronic payment

system designed for the internet being put together by the Information
Sciences Institute University of Southern California. NetCash is a
framework for electronic currency being developed to work with
NetCheques.
• PayMe is a theoretical framework which attempts to combine the
anonymity of DigiCash with the scalability of Netcash.

Virus Protection:

Hacking:

Hacking (English verb to hack, singular noun a hack) refers to the re-configuring or re-
programming of a system to function in ways not facilitated by the owner, administrator,
or designer. The term(s) have several related meanings in the technology and computer
science fields, wherein a "hack" may refer to a clever or quick fix to a computer program
problem, or to what may be perceived to be a clumsy or inelegant (but usually relatively
quick) solution to a problem, such as a "kludge".

The terms "hack" and "hacking" are also used to refer to a modification of a program or
device to give the user access to features that were otherwise unavailable, such as by
circuit bending. It is from this usage that the term "hacking" is often used to refer to more
nefarious criminal uses such as identity theft, credit card fraud or other actions
categorized as computer crime.

On many internet websites and in everyday language the word "hack" can be slang for
"copy", "imitation" or "rip-off."

The term has since acquired an additional and now more common meaning, since
approximately the 1980s; this more modern definition was initially associated with
crackers. This growing use of the term "hack" is to refer to a program that (sometimes
illegally) modifies another program, often a computer game, giving the user access to
features otherwise inaccessible to them. As an example of this use, for Palm OS users
(until the 4th iteration of this operating system), a "hack" refers to an extension of the
operating system which provides additional functionality. The general media also uses
this term to describe the act of illegally breaking into a computer, but this meaning is
disputed. This term also refers to those people who cheat on video games using special
software. This can also refer to the jaibreaking of ipods.

The term is additionally used by electronics hobbyists to refer to simple modifications to

electronic hardware such as a graphing calculators, video game consoles, electronic
musical keyboards or other device (see CueCat for a notorious example) to expose or add
functionality to a device that was unintended for use by end users by the company who
created it. A number of techno musicians have modified 1980s-era Casio SK-1 sampling
keyboards to create unusual sounds by doing circuit bending: connecting wires to
different leads of the integrated circuit chips. The results of these DIY experiments range
from opening up previously inaccessible features that were part of the chip design to
producing the strange, dis-harmonic digital tones that became part of the techno music
style. Companies take different attitudes towards such practices, ranging from open
acceptance (such as Texas Instruments for its graphing calculators and Lego for its Lego
Mindstorms robotics gear) to outright hostility (such as Microsoft's attempts to lock out
Xbox hackers or the DRM routines on Blu-ray Disc players designed to sabotage
compromised players).

Creacking:

Software cracking is the modification of software to remove or disable features which

are considered undesirable by the person cracking the software, usually related to
protection methods: copy protection, trial/demo version, serial number, hardware key,
date checks, CD check or software annoyances like nag screens and adware. The
distribution and use of cracked copies is illegal in almost every Economic development.
There have been many lawsuits over cracking software.