E-Commerce Essay, Research Paper
Electronic commercialism includes about any exchange of electronic informations related to a concern operation. In this treatment, I will be concentrating on the usage of the Internet for concern minutess. Companies that use the Internet as their major beginning of income have a large concern about electronic commercialism security to maintain them successful in their online concern. Although the engineering exists to forestall about all types of aggression, the nature of the Internet makes achievement of security steps hard. TCP/IP, the web protocol of most Internet usage, it sill weak for security via medias ( LOEW 134 ) . A concern security program for procuring electronic commercialism must get down with a baseline. Firewalls and the usage of encoding can merely protect against 80 % of all security menaces. Common sense policy steps, such as proper constellation of computing machine systems and appropriate usage of watchwords, are frequently overlooked ( RUSSELL 165 ) . In the article, ? Connecting to The Internet: Security Considerations, ? hypertext transfer protocol: //csrc.ncls.nist.gov/nistbul/cs193-07.txt, Bulletin. Reporting that? in recent old ages, a figure of security jobs with the Internet have become apparent. ? ? Crackers frequently roam the Internet with impunity, covering their paths by traveling from system to system. ? In the remainder of my treatment I will be concentrating on different facets of Internet security and E-commerce such as Commerce on the Internet, Electronic Commerce Systems, Business Security Strategies, Security Concepts, Risks of Internet Use, Internet System, and the hereafter of Electronic Commerce Security. Direct gross revenues via the Internet are expected to turn from $ 8 billion this twelvemonth to anywhere from $ 50 to $ 250 billion by the terminal of the century. The sum of gross revenues on the Internet may consist 36 % of direct gross revenues in the twelvemonth 2000 compared with 7 % in 1996. The figure of transactional sites on the World Wide Web ( WWW ) has been increasing about 1,700 for awhile, but is expected to make 15,000 by the twelvemonth 2001 ( BERKLEY 6 ) . The attractive forces of the Internet for carry oning commercialism are acquiring higher and carry oning a dealing at one-sixth the cost of puting the same order through homo operator ( BERKELY 4 ) . The usage of the Internet for electron commercialism now includes dealing types that once were considered excessively hazardous. In 1996 the San Francisco-based Lombard Institutional Brokerage began to offer client the ability to sell and purchase stocks over the Internet ( DALE 7 ) . Other securities firms, including Charles Schwab and Jack White & A ; Co. , have jumped on the concern. In the same twelvemonth, Currency Management Corp. ( CMC ) of London began offering foreign exchange trading in 27 currencies on the Internet ( DALE 7 ) . Although most published commentaries researched for this paper seem to be optimistic about the electronic commercialism security issues, uncertainty presently restrict the usage of the Internet for electronic commercialism to a few hazard takers. One study of Internet users indicated that for 50 % to 60 % of the respondents, security is the chief Internet use issue ( DALE 2 ) . Most electronic commercialism issues have long ago been solved in theory, and execution of protocols and package solutions loom on the skyline. For the minute, many issues of concern still exist. Internet System The Internet developed through the 1960? s and 1970? s in a mostly academic scene and emphatic connectivity as opposed to security ( BULLETIC 4 ) . In order to discourse security issues of electronic commercialism, a brief sum-up of a few proficient points refering the Internet is necessary. A concern maintains an Internet presence through an Internet waiter or host. The Internet presence may happen through a house puting up its ain waiter, such as a World Wide Web ( WWW ) page, or by renting practical existent estate on person else? s waiter, such as with an Internet cybermall ( DEBORAH 357 ) . Users entree the concern waiter through the Internet. A company Internet waiter may or may non hold links to the company computing machine files. In the simple Web page advertizement, the waiter need non hold any connexion with the remainder of a company? s computing machine system. In the Internet dealing site, where clients really order merchandises or initiate history minutess, the host must by linked to of import company databases. The World Wide Web is the best known Internet connectivity system. Its characteristic HyperText Transfer Protocol ( HTTP ) allows the user to travel about and between the World Wide Web hordeolums by snaping on? links. ? Other systems, such as File Transfer Protocol ( FTP ) and Telnet, are normally used to reassign information through the Internet. Between the user? s computing machine and the Internet there are really several beds of Internet protocols ( DEBORAH 217 ) that are mostly unseeable to the Internet user. TCP/IP ( Transport Control Protocol/Internet Protocol ) represents a aggregation of networking protocols and applications at the nucleus of most Internet activity ( DEBORAH 208 ) . Risks of Internet The usage of the Internet for electronic commercialism increases a company? s concern hazards. Under the theory of liability, a company is potentially apt for harm to the computing machine system of an unaffiliated company and its client for harm caused by invasion through the first company? s computing machine system ( FRATO 8 ) . The chief types of security menaces through the Internet include: Information Menaces to Internet Servers. Intruders may perforate the Internet waiter and addition entree to sensitive information, such as client recognition card figure stored at that place. Menaces to the Corporate Network. Intruders may derive entree via the Internet through security holes into the general corporate network/ Threats to Data Transmission. Corporate informations transportation ( e-mail, file downloads, web minutess ) may be intercepted and compromised. Resources Threats to Service Availability. Invasions of the computing machine system could disrupt usage of computing machine systems or even do the web clang. Menaces from Repudiation. Fraud may be committed in an on-line dealing or the party may deny a dealing took topographic point. Repute If exposures of a company? s computing machine system are demonstrated or become known the repute of the company will be harmed ( FRATO 59 ) . Technical descriptions of how onslaughts on a company computing machine via the Internet occur are beyond the range of this paper. However, an overview of a few types of onslaughts will assist with the ulterior treatment of unafraid Internet commercialism. Password based onslaughts involved some usage of a watchword to derive entree through security beds to favor informations or systems. A recent survey found that 30 % of all onslaughts were watchwords based ( LOEW 50 ) . A beastly force onslaught consists of trying to utilize indiscriminately generated watchwords until entry is gained to a password-protected system. IP burlesquing occurs when an aggressor makes his computing machine appear to another computing machine or host to be a sure party and fast ones that computing machine or host into let go ofing sensitive informations leting the aggressor? s computing machine entree to a privileged system. IP spoofing can be technically hard, but computing machine analysis indicates it is a important security menace ( LOEW 43 ) . Network Snooping/Packet Sniffing involves stoping packages or messages on the Internet between the transmitter or beginning and the intended finish host. Spying or Sniffing is something like? teasing? an antique voice communicating such as a telephone line. Using this technique, an encroacher can capture company watchwords and stop sensitive messages. Snooping/Sniffing is one of the most hard types of invasion to support against, and in the last few old ages, 100s of 1000s of these types of onslaughts have occurred ( LOEW 46 ) . Security Concepts Two types of security steps in one estimation provide protection against 80 % of all onslaughts on concern computing machine systems ( DEBORAN and G.T. 5 ) . A firewall is a margin of security between a company? s Internet waiter and the company? s chief computing machine web system ( DEBORAH and G.T. 258 ) . The firewall intercepts messages across the margin and determines whether the message should go through through. The firewall is designed to insulate a company web every bit much as possible from promiscuous entree via the Internet. Encryption is a method of interpreting a message into a codification utilizing mathematical algorithm ( DEBORAH and G.T. 147 ) . In order to read the message the codification must be? unbarred? utilizing an encoding key. The effectivity of encoding depends to some extent on the complexness of the algorithm used to code the message, and different engineerings provide different degrees of protection ( DEBORAH and G.T. 148 ) . One of the original encoding schemes involved administering private keys to each person involved in a communicating web. This method, symmetric key cryptanalysis, had the important disadvantage that it was logistically impossible to see that each and every and merely each and every bona fide member of the web possessed a key at all times ( DEBORAH and G.T. 146 ) . A more utile encoding scheme is asymmetric cryptanalysis, which uses both a private and a public key. A public key is an encoding key that is by and large published among web users for each user. By uniting usage of a public and private key, degrees of security can be controlled and other security characteristics, such as hallmark and unity may be introduced ( FRATO 13 ) . Although public/private cardinal encoding may supply a solution to virtually any security job, in the pattern the usage of encoding is limited by the fact that the computational demands of complex strategies overburden available resources and prevent prompt transmittal of message ( FRATO 15 ) . User hallmark is an of import portion of any Internet security system. Authentication assures that a party in an Internet dealing is the individual whom they say they are. Authentication methods can be classified into the undermentioned classs: What you know. The combination of a user identifier and watchword is the oldest and most common hallmark method. However, it is besides the easiest to interrupt. The usage of erstwhile watchwords that are created in progress is one advantage that makes user hallmark more secure. What you are. A type of hallmark in this class uses biometries systems to place a user based on physical properties, such as fingerprints or retinal scans. Some systems on the market expression at physical properties of the user? s computing machine to verify identify. This type of hallmark is at present less normally used than other methods. What you have. This signifier of hallmark is based on some device in the ownership of the user, such as smart cards or discs, which contain illumination centre emanation unit ( CPU ) . Such devices communicate with the computing machine elec
tronically to exchange information similar to a password or may be programmed to release a time-based authentication password (FRATO 16). Regardless of the care with which an encryption scheme is designed, there always remains the possibility of passwords or authentication devices being stolen and used in digital identify fraud. A potentially more reliable method of establishing the identities of parties on the Internet through digital signatures is the use of certificates. A certificate is a digital document with identification information and a public key. A standard format known as X.509 is usually used (FRATO 15). The use of a certificate requires issuing the document to an individual, much like a driver?s license or social security number is issued. The issuing of certificates and maintaining a server making the information available to electronic commerce participants in order to verify identity requires a trusted third party or Certificate Authority (CA). Several CA?s, including GTE, Veri Sign Inc., and Northern Telecom, currently have certification schemes on the market (IMPROVED VPN 7). However, a problem with certification remains that there is no one agency universally recognized as a CA and no legal mechanism to handle the liability issue involved (IMPROVED VPN 7). One of the main security flaws of the Internet is an inherent technological flaw caused by decades of development with little attention to security issues. As security holes are uncovered, software manufactures modify their products using ?patches? (DEBORAH AND G.T. 143). ? Through such piecemeal modifications, Internet protocols tend towards higher security (DEBORAH AND G.T. 143)?. However, only systematic change of protocols will thoroughly address security concerns. Short of introduction of totally new Internet protocols, which is impractical, development of security-enhanced versions compatible with current protocols offers promise. Secure Sockets Layer (SSL) protocol, developed by Netscape Communications, works at the TCP/IP level and is largely invisible to the user. Secure HyperText Transfer Protocol (S-HTTP) works at a higher level and requires more user interaction. Many other secure protocols and channels are in the works, including PCT by Microsoft and IKP by IBM (DALE 4). Business Security Strategies A company?s security strategy for electronic commerce must be a corporate-wide strategy for all Internet and computer use. A security hole at any level could compromise the highest degree of security at another level. The main areas of Internet security concerns are: The Internet connection. The cornerstone of security here is the firewall. Connections with Internet providers must also be secure. A security flaw within a provider will also open the company to attack. End-user services. Internet services used by company employees, such as e-mail and news services, must be secure. Business services. The company?s Internet commerce Web server and all other Internet based services must be secured (DALE 12). Obviously, a company must first decide on the scope of its Internet commerce and other usage before developing a security plan. The basic concept of developing a security plan is risk analysis, in which all aspects of a company?s operations are examined for security flaws and the minimization of various risks are evaluated according to some type of cost/benefit analysis. However, a growing number of experts believe that such complicated and costly approach to Internet security may not be warranted because of the amount of guesswork involved in predicting risks (BULLETIN 2). These experts advocate a baseline controls approach to Internet security issues (BULLETIN 3). The baseline controls approach calls for implementing the first phase, according to standards of due diligence, basic technological and policy measures of Internet security, such as firewalls, secure protocols, employee Internet usage policies, and security management procedures (password issuing, security auditing, etc). An additional phase would involve looking at security issues specific to the unique aspects of a company?s operations and implementing additional measures according to the same standards of due diligence. Proponents argue that the baseline approach may provide the same degree of security as a systematic risk analysis approach and may protect a company against lawsuits if appropriate due care is exercised (BERKELEY 4). Electronic Commerce Systems Several alternative payment systems have been worked out using security techniques discussed in this paper and are currently being offered for secure interactions on the Internet. These systems will be briefly discussed. Electronic Money (E-money) The system described has been developed by Digicash (BERKELEY 339). In this system a digital system has been developed to mimic cash transactions on the Internet. Banks issue e-money customers digital ?coins? that are stored on the customer?s PC hard drive. The customer downloads coins from the bank server, where the customer?s account is debited. The coins are ?blinded? using an encryption envelope so that the coins will appear anonymous to the bank or anyone else, except to the customer, who knows a serial number for tracking purposes. The coins are then sent electronically to a merchant during a transaction. The merchant verifies the money at the merchant bank then deposits the coins. All merchants and customers must have special account to participate in the scheme. The main drawback of the Digicash e-money system is that merchant banks must have public keys of all the banks their customer use, a state of affairs that would practically very difficult to maintain. Also, customers lose FIC protection once money from their account is transferred into e-money (SOURCE ). Offline credit card processing system In a system developed by First Virtual Holdings, Inc., the company acts as a clearinghouse for the Internet transactions and communicates with customers via e-mail. A customer must set up an account with First Virtual and communicates over the phone to supply credit card information and to select a secure password. When a customer makes an order during an electron transaction, the merchant contact First Virtual to request authorization using customer-supplied information but not including credit card numbers. First Virtual then e-mails the customer to verify the transaction and if a favorable response is received, the First Virtual assures the merchant the transaction is valid. The main security feature of this system is that customer credit card numbers are not sent over the Internet, thereby relieving the merchant of liability in protecting customer credit card information. Disadvantages include the reliance on relatively unsecured e-mail for some degree of sensitive personal data and merchant liability under existing laws for fraud (SOURCE ). On-line credit card processing system A system developed by CyberCash, Inc. relies on powerful encryption of credit card numbers using free proprietary software. Customers register with CyberCash to set up an identity on the system and are assigned a private encryption key. Merchants are also required to load proprietary software. When a customer initiates a transaction, the merchant?s software prompts the customer?s software to open a digital ?wallet? and the merchant receives the customer?s credit card information encrypted with a private key. The merchant adds merchant information and sends the information to CyberCash. CyberCash is able to use public and private keys to decode customer and merchant information and obtains credit card authorization through standard means. If the cardholders bank authorizes the transaction, the merchant is notified, who in turn informs the customer of the completed transaction. An advanced version of CyberCash?s model, Secure Electron Transaction (SET) has been adopted as a payment protocol by MasterCard, Visa, and major Internet Software companies (TADJER 4). Virtual banking has gained a solid foothold on the Internet. It is estimated that about 4.6 million customers do banking via the Internet (TADJER 5). One of the first Internet virtual banking systems was designed by Security First Network Bank (SNFB), which exists practically only on the Internet (TADGER 4). The SFNB system has three main security features: 1. A Web platform with multi-level security technology, including privilege and authorization mechanisms for access to various function and commands. 2. A Firewall with audit and logging capabilities. 3. Netscape?s secure Web browser using the SSL protocol. Other Virtual banking options include banks sending customers proprietary software to do banking via direct modem connections and the cooperation with existing on-line services, such as American Online. In the later situation the bank is in effect outsourcing many security issues and responsibilities (TADJER 4). The Future of Electron Commerce Security In general, the challenge of improving the security of electronic commerce lies not so much in solving technical problems of security- in theory they are already solved, but in overcoming the institutional chaos of the many public and private organizations that control the Internet. The Internet is conglomeration of world wide TCP/IP networks that no one really controls (3, 366). Several organizations will be prominent in the future of electronic commerce. The development of TCP/IP is overseen by the Internet Engineering Task Force (IETF) and many Internet standards are recommended by the World Wide Web Consortium (W3C). Most current security devices cannot rely on TCP/IP, but future standards are likely to include security improvements in the TCP/IP protocol, of which users will largely be unaware (SOURCE ). Many new secure systems, such as SSL and SET, were developed by private companies but are on the way to universal acceptance amount Internet users. Java, the new programming language developed by Sun Microsystems, has much promise in security for network environments (DEBORAH AND G.T. 117). Some trade organizations have encouraged the formation of working groups to speed up the creation of secure electron commerce environments. The Financial Services Technology Consortium (FSTC) is comprised of banks, financial services firms, technology vendors, research laboratories, and government agencies (DEBORAH AND G.T. 117). The FSCT is working on converting the Electron Funds Transfer (EFT) protocol from a private to a public network, in order to create a common environment for secure electron commerce transactions. As a general rule, the risk of criminal attack on electronic commerce will be greatest in terms of large-scale attacks (DEBORAH and G.T. 80) as daily transaction become more and more secure.