DEPARTMENT/SEMESTER

Manav Rachna College of Engg.

(MBA IV SEM) COURSE NAME

Electronic Commerce

E-Commerce : Security Concerns

Confidentiality controlling access to information Integrity data & programs to be free from unauthorised change or loss Availability & Legitimate Use continual access to authorised users Non-Repudiation ability to ensure that neither party can deny transaction or have anonymity Requires a legal framework within which to punish offenders Security = compromise cost vs perceived security

Difficult as security is always a cost and there is no way of measuring return on investment

Security Risk Management

Authentication - of the web site or the buyer / participant

Requires some credentials, e.g.

knowledge password Physical card, fob, etc Biometric fingerprint, retina scan, face recognition.

Authorisation - access rights to certain areas Auditing log files & journal files Information Security Policy iterative development

List all resources requiring protection routers, firewalls, etc Define physical access restrictions to servers, PCs etc Define electronic access to the above Catalogue threat for each resource and perform risk analysis

Security Mechanisms
Access control mechanisms are closely connected with authentication. Each principal is assigned a set of access permissions or rights (e.g., read, write, execute). Each access to a protected resource is mediated by a central computing facility called a reference monitor. In order to be able to use its access permissions, a principal has to be successfully authenticated first. If access control is implemented correctly, most infiltration attacks pose no danger. Encryption mechanisms Encryption mechanisms protect the confidentiality (or privacy) of data. An encryption mechanism always uses a key available only to a defined group of people. Such a group can consist of one person (the receiver of the encrypted data) or several people (e.g., all parties involved in a communication session). Digital signature mechanisms

Digital signatures provide not only data integrity but also nonrepudiation. It can be generated by a special digital signature mechanism as well as by some encryption mechanisms.

Security Mechanisms

Data integrity mechanisms Data integrity mechanisms protect data from unauthorized modification. They can, for example, use digital signatures of message digests computed by a cryptographic hash function. Traffic padding mechanisms Traffic padding mechanisms offer protection against traffic analysis. Sometimes an adversary can draw conclusions from observing, for example, a change in the amount of data exchanged between two principals. Therefore it may be advisable to generate .dummy. traffic to keep the level approximately constant, so that the adversary cannot gain any information. Routing control mechanisms

A routing control mechanism makes it possible to choose a specific path for sending data through a network. In this way, trusted network nodes can be selected so that the data is not exposed to security attacks. Moreover, if data entering a private network has no appropriate security label, the network administrator can decide to reject it.

Notarization mechanisms Notarization mechanisms are provided by a third-party notary that must be trusted by all participants. The notary can assure integrity, origin, time or destination of data. For example, a message that has to be submitted by a specific deadline may be required to bear a time stamp from a trusted time service proving the time of submission. The time service could affix a time stamp and, if necessary, also digitally sign the message.

Major Issues : Legal, Privacy & Ethical

The nature of domain names

A domain name is essentially an e-commerce logo which provides companies with their e-identity.It is in fact a user-friendly alphanumeric alias for an Internet Protocol (IP) address. An IP address is a unique number that identifies a particular computer that is attached to the Internet. Top Level Domain (TLD) are split into

generictop-level domain names (gTLDs) country-code specific top-level domain names (ccTLDs).

ccTLDs are numerous (there are about 190 countries with ccTLDs) and these are represented by two letters of the alphabet.

.ch Switzerland .fr France .in India .my Malaysia

There are only three gTLDs that are generally available on a first-come-first-served basis to anyone in the world:

.com .net .org

domain name registration system offers no protection against the registration of similar names. For example, although I may register the domain name, pwcarey.com, this does not stop someone else registering the domain name p-w-carey.com or pcarey.com. The fundamental difference between a trade mark and a domain name is that there can be several identical trade marks registered in different parts of the world, or even in the same jurisdiction, by different people.

Each identical trade mark can relate to a different type of goods without any possibility of the trade mark use constituting an infringement. By contrast there can only ever be one of each domain name, as such names are necessarily unique.Whilst use of an identical domain name to one registered by an e-business is therefore impossible.

Cybersquatting

Cybersquatting is the activity that involves the bad faith registration of trade marks as domain names. The Internet Corporation for Assigned Names and Numbers (ICANN) set up a dispute resolution system for the top-level generic domain names (.com,.net and .org) in December 1999.That system,known as the Uniform Dispute Resolution Policy (UDRP),has proved very popular and successful.It is administered by four bodies (the best known of which is the World Intellectual Property Organisation) and frequently results in a domain name being transferred to the claimant.This section considers the dispute resolution procedures of ICANN and Nominet (which administers all .uk domain names).

The Distance Selling Regulations

A consumer who purchases goods or services from an e-commerce business is protected to a greater degree than a business purchaser is. The information requirements
a) the identity and address of the supplier b) the characteristics of the goods or services c) the price including all taxes d) delivery costs e) arrangements for payment, delivery, performance f) the existence of the right of cancellation g) any additional costs of using the means of distance communication h) the period for which the price remains valid i) where appropriate, the duration of a service contract.

Website linking Agreements

To date operators of websites have provided links from their own sites to those of third parties with little thought for the legal consequences. In one case, involving the website of a Scottish newspaper, an e-business was sued for providing a link to a page within the site of the newspaper. This practice,known as deep linking,was challenged on the basis that it allowed users access to the site without being required to travel via the homepage. E-commerce businesses should therefore consider,in appropriate circumstances, putting in place a written contract that sets out the obligations of the parties to a linking agreement.The contract should deal with the following issues: The link Intellectual property Commission Charges Data protection Database right

Liability for website content

Copyright : The law of copyright provides protection to certain types of works. Essentially the protection that exists prevents any person from copying the material without permission. The most common misconception about copyright is that it requires registration. In fact copyright protection exists as soon as a copyright work is made. For example,if you design a web page then copyright will exist in the web page. If anyone copies your web page (online or offline) you should be able to maintain an infringement action. Similarly,if you were to include aspects of a third party website in the design of your own site then you ould be at risk from an infringement action.

Offensive and indecent materials Obscene Publications Act 1959, s1 provides that: an article shall be deemed to be obscene if its effect or (where the article comprises two or more distinct items) the effect of any one of its items is, if taken as a whole, such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.
Descriptions and prices Under the Trade Descriptions Act 1968 it is a criminal offence to apply a false trade descriptionto goods or services.Where the person convicted of the offence is a corporate body, any director or manager found to have consented to or to have been negligent in relation to the offence may also be convicted.The maximum punishment is two years imprisonment.

The Debate about Free Speech on the Internet

Provisions in law for 2 cases that limit free speech

obscene material compelling government interest

Indecency

any comment, request, suggestion, proposal, image, or other communication that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs

Use of cookies

Cookies are devices that are inserted on a users hard drive when he or she is visiting a website. Essentially they are pieces of code that will identify the user when he or she returns to the site and can be used to track a users movement around the site and throughout the Internet generally. The use of cookies for advertising and selling purposes will amount to direct marketing within the meaning of the DPA,and is therefore subject to the right of an individual to request the cessation of such activity. E-businesses must react to such a request within 21 days and will need to have procedures in place to either: - disable the cookie in relation to the specific customer who made the request; - flag the specific customers account so that no further attempts at direct marketing are made to that person.

Cookies

Reasons for using cookies to personalize information

to improve online sales/services to simplify tracking of popular links or demographics to keep sites fresh and relevant to the users interests to enable subscribers to log in without having to enter a password every visit to keep track of a customers search preferences personal profiles created are more accurate than selfregistration Solutions to cookies users can delete cookie files stored in their computer use of anti-cookie software (e.g. Cookie Cutter and Anonymous Cookie)

Human Rights and E-commerce

Security
ELECTRONIC SIGNATURES ENCRYPTION

1. Electronic signatures

The Electronic Communications Act 2000, the first piece of pure e-commerce legislation in the UK, provides that an electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and the certification by any person of such a signature shall be admissible in evidence in any legal proceedings as to the authenticity or integrity of the communication or data. an electronic identification of a person or company can be used in court to show that that person or company made a contract. An electronic,or digital,signature is essentially something associated with an electronic document that performs the same function as a manual signature.

2. Encryption

The Electronic Communications Act 2000 sets up a register of cryptography service providers. The Act imposes a duty on the Secretary of State to establish and maintain a register of approved providers of cryptography support services. This is defined as any service to those sending or receiving electronic communications, or to those who store electronic data, and which is designed to facilitate the use of cryptographic. techniques for the following purposes: ensuring that such communications or data can be accessed or put into an intelligible form, only by certain persons (the confidentiality provision) ensuring that the authenticity or integrity of such communication or data is capable of being ascertained.

Protecting Privacy
Privacy

The right to be left alone and the right to be free of unreasonable personal intrusions

Information

Privacy

The claim of individuals, groups, or institutions to determine for themselves when, and to what extent, information about them is communicated to others

Privacy Protection

5 basic principles

Notice/Awareness Customers must be given notice and be able

to make informed decisions.

Choice/Consent Customers must be made aware of their

options as to how their personal information may be used. Consent may be granted through opt-Out clauses requiring steps.

Access/Participation Consumers must be able to access their

personal information and challenge the validity of the data.

Integrity/security Consumers must be assured that the data is

secure and accurate.

Enforcement/Redress There must always exist a method of

enforcement and remedy. The alternatives are government intervention, legislation for private remedies, or self-regulation.

Controlling Spamming

What is spamming, why is it bad?

Spamming

the practice of indiscriminate distribution of messages (for example junk mail) without permission of the receiver and without consideration for the messages appropriateness

Spammings negative impacts

Spam comprised 30% of all mail sent on America Online

slowing the Internet in general shutting ISPs down completely now less than 10%

Controlling Spamming

How to cut spamming

Tell users not to validate their addresses by answering spam requests for replies if they want to be taken off mailing lists
Disable the relay feature on SMTP (mail) servers so mail cannot be bounced off the server Delete spam and forget it its a fact of life and not worth wasting time over

Fraud on the Internet

Internet Stocks Fraud

SEC brought charges against 44 companies and individuals who illegally promoted stocks on computer bulletin boards, online newsletters and investment Web sites Selling bogus investments, phantom business opportunities, and other fraud schemes Customers may

Other Financial Fraud

Other Fraud in EC

receive poor quality products and services not get products in time be asked to pay for things they assume will be paid for by sellers