Amity International Business School

ECOMMERCE AND SECURITY EITTGM SEM-1

Seema Sahai

Amity International Business School

ECOMMERCE
Examples Amazon.com - The Internets largest virtual bookstore Security First National Bank - The first original virtual bank eTrade - An online stock broker at reduced prices Wall Street Journal Interactive - An online version of the WSJ Commonalties in examples drive definition
Use of a common electronic medium Perform commercial exchanges of value Transaction between two entities

Amity International Business School

ECOMMERCE
Examples

Digital Content Peer-to-Peer (starting with Napster); Apples iTunes Music Store Mobile eCommerce - Vending (and other) machine purchases Using cell phone of other specialized token or smart card Master Card - August 28, 2003 - MasterCard International today unveiled MasterCard SideCard, the stylish new payment card which features a modified design small enough to fit on a key ring. MicroPayments Allows Web Surfers a method to make small Purchases (under $1)

Amity International Business School

Are Internet (and other) security issues over-hyped?

Yes

But....there are valid concerns

Amity International Business School

Internet was never designed with security in mind. Many companies fail to take adequate measures to protect their internal systems from attacks. Security precautions are expensive {firewalls, secure web servers, encryption mechanisms}. Security is difficult to achieve.

Amity International Business School

RISKS

Lack of Privacy or Confidentiality

Transaction Integrity False Identification of Transaction Participants

Inability to Prove Transactions Occurred

False Storefronts

Amity International Business School

Examples of Past Incidents

Citibank
1994: Using the Fedwire system, Russian hackers compromised passwords and PINs to make more than 40 unauthorized wire transfers totaling nearly $10 million.. 1997: German hackers, Chaos Computer Club, demonstrated to German TV audiences an ActiveX module that allows Quicken to transfer money without needing to enter the softwares normal security systems. 1997: Using another employees ID and password, a disgruntled ex-Forbes business unit employee disrupted the internal communications network, creating an estimated $100,00 damage

Chaos Club

Forbes

Amity International Business School

Examples of Past Incidents

Wells Fargo
November: A thief broke into a Wells Fargo Contractor's office in Concord and stole a laptop computer containing personal customer information including names, social security numbers, home addresses and banking habits. Variety of different scams since the late 1990s including: Criminals buy ATMs and install them in small businesses to obtain the user's mag-stripe and PIN info; Plastic covers inserted into machines and over keypads to capture PIN info; Cardboard or plastic inserted to trap card thief shouldersurfs to obtain PIN. WaMu: at least three customers have had their ATM access information stolen and used to access their accounts. Customers receive e-mail under the subject PayPal Verfication with a return address of verification@paypal.com. E-mail asks customer to verify their confidential information by replying to the e-mail or directed to an bogus Internet site.

ATMs

PayPal

Amity International Business School

Future Risks
Dramatic growth in B-B, B-C, and B-G Internet terminals in stores, airports, bars

In ShortAnything that contains personal information Such as a magnetic strip on a card Driver's License Credit Card ATM Card Medical Provider Cards

Amity International Business School

Where is the threat coming from? Disgruntled/Former Employees Competitors

Hackers

MY NETWORK

Foreign Governments Crooks

Amity International Business School

Business to Consumer Risks

Firewall
Internal Network
Web Server RISKS Intercepted transmission Denial of service Network intrusion
Remote Users accessing EC application over the Internet

Internet

Amity International Business School

Business to Business Risks

Firewall Internal Network Firewall

Internet

Internal Network

RISKS Loss of availability Cant confirm transmission received Eavesdropping

Amity International Business School

Potential Business Impact

Public Embarrassment / Image Compromised Confidential Information Compromised Integrity Of Information Disruption of Services (System / Network Outages) Fraud or Theft of Services Financial Liability Criminal Liability Under State or Federal Laws

Amity International Business School

How Do You Implement Adequate Security?

Amity International Business School

Security methodology Proper security must provide the appropriate assurance that in any transaction:
1. Both parties are identified and authenticated 2. Both parties can only perform the actions they are supposed to 3. The transaction information is correct/unaltered 4. The transaction is kept confidential 5. There is proof the transaction occurred (norepudiation)

Amity International Business School

Security methodology
These assurances provide:
Identification
Authentication Authorization A Secure Solution Confidentiality Integrity

Non-Repudiation

Amity International Business School

The EC Security Toolkit

Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

Amity International Business School

Firewall Solutions
Functions of a Firewall Between a trusted and untrusted network Controls traffic based on service, source, destination, user ID

Deny everything that is not specifically allowed

Amity International Business School

Strong Authentication
What you know, what you have, who you are (where you are?) Several main types Time based tokens Challenge response Public key (client side certificates) Smart card based

Amity International Business School

Leading Authentication Examples

IDs & Passwords Benefits: Users are comfortable Risks: Easily compromised or cracked! Digital Certificates Benefits: Can be invisible to the user Risks: Require infrastructure, trust hierarchy Smartcards Benefits: Strong link back to specific user Risks: Deploying readers, inconvenient for user

Amity International Business School

Security Architecture

Business Application
Application Web Server Server Entity One (Business a.k.a. Bank of David) Firewall

Internet

End User
End User PC Entity Two (User a.k.a. Fred)

Amity International Business School

Security Architecture
Authentication Client Yes/No Response

Authentication Server

Application Web Server Server Entity One (Business a.k.a. Bank of David)

Firewall

Internet

End User PC Entity Two (User a.k.a. Fred)

User ID & Password

Amity International Business School

Security Architecture
Authentication Client

Decrypt with Decrypt with business users public digital private key signature key

Private Key

Authentication Server

Application Web Server Server Public Key Storage Entity One (Business a.k.a. Bank of David)

Firewall

Internet

Private Key End User PC Entity Two (User a.k.a. Fred)

Encrypt with users Encrypt with private digital business signature key public key

Amity International Business School

Security Architecture
Authentication Client

Private Key

Authentication Server

Application Web Server Server Public Key Storage Entity One (Business a.k.a. Bank of David)

Firewall

Certificate Directory Certificate Authority Private Key End User PC Entity Two (User a.k.a. Fred)
X= S[F(y)*p] Computes message hash 0110101110

Internet

End User Signature

Encrypts message hash with users private key

Amity International Business School

Security Architecture
Authentication Client

Private Key

End User Signature

Authentication Server

Application Web Server Server Public Key Storage Entity One (Business a.k.a. Bank of David)

Firewall

User Certificate

Certificate Directory Certificate Authority Private Key End User PC Entity Two (User a.k.a. Fred)
End User Signature

Internet User Certificate

User Certificate

Amity International Business School

Security Architecture
0110101110 Authentication Client

Re-computes message hash Decrypts message hash with users public key

X= S[F(y)*p]

Private Key

0110101110

End User Signature

Authentication Server

Application Web Server Server Public Key Storage Entity One (Business a.k.a. Bank of David)

Firewall

Certificate Directory Certificate Authority Private Key End User PC Entity Two (User a.k.a. Fred)

Internet

Amity International Business School

Secure Protocols

S-HTTP security enhanced version of the HTTP protocol wraps entire message in a secure envelope SSL secures the channel with session keys provides data encryption, server and client authentication in version 3 SET provides authentication and encryption for credit card transactions

Amity International Business School

Virtual Private Networks

Encrypted tunnel Varying levels of trust Multiple business applications

Internet

Amity International Business School

Traditional Security
Host security Secure applications / programming Network security / partitioning Physical security Policies, procedures, guidelines, standards

Amity International Business School

Some Common Mistakes

Waiting too late to consider security Dont analyze business risks Give security to junior member on team Pick a solution when you dont understand the technology Ignore operating system level security Thinking IDs and passwords are enough

Amity International Business School

Good security solutions are available; the key is applying them Public perception will change over time Need to focus on business risks

Amity International Business School

TACKLING CYBER CRIMES INTELLECTUAL PROPERTY RIGHTS AND COPYRIGHTS PROTECTION ACT

Amity International Business School

IT ACT PROVISIONS
email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law. Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act. Digital signatures have been given legal validity and sanction in the Act.

Amity International Business School

IT ACT PROVISIONS
The Act now allows Government to issue notification on the web thus heralding egovernance statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data

Amity International Business School

CYBER CRIMES
CYBER CRIMES AGAINST PERSONS eg melissaand lovebug virus CYBER CRIMES AGAINST PROPERTY eg computer vandalism CYBER CRIMES AGAINST GOVERNMENT eg Al-Qaeda

Amity International Business School

TAMPERING WITH COMPUTER DOCUMENTS HACKING WITH COMPUTER SYSTEM PUBLISHING OBSCENE MATERIAL ON INTERNET BREACHING OF CONFIDENTIALITY AND PRIVACY

Amity International Business School

CYBER LAWS AMENDMENTS

INDIAN PENAL CODE,1860

INDIAN EVIDENCE ACT,1872 BANKERS BOOK EVIDENCE ACT,1891 GENERAL CLAUSES ACT,1897

Amity International Business School

CONCLUSION
CYBER LAWS_ ESSENTIAL FEATURE IN TODAYS WORLD OF INTERNET

ACHIEVING GLOBAL PEACE AND HARMONY

Amity International Business School

THANK YOU