Information Security in E-Commerce:
Earlier when the Internet was just started, its main use was limited to only sending or receiving e-mails. Thus, the only security concerns were the malicious programs such as viruses, worms, Trojan horses, etc., that could enter your system by attaching themselves to e-mail messages. However, with the growth of the internet, the ways of using the Internet have changed a lot. Today, the Internet is commonly used for conducting e-commerce- the buying and selling of goods online- that has brought long-held security concerns.
|What is Information Security?||Measures, procedures, or controls that protect the information, in any medium (electronic, print, audio, visual, etc.) from unauthorized access (accidental or intentional), modification, disclosure, or destruction.|
|What is E-commerce?||E-commerce stands for Electronic Commerce. It means commercial transactions conducted over a network using computers and telecommunications. International Fiscal Association defines E-commerce as commercial transactions in which an order is placed electronically and goods or services are delivered in tangible or electronic form.|
|Categories of E-commerce||Business-to-Customer (B2C)- In this type of e-commerce, the products or services are sold from a firm to a customer.|
Business-to-Business (B2B)- In this type of e-commerce, both the buyer and seller are two companies.
Consumer-to-Consumer (C2C)- In this type of e-commerce, consumers sell goods and services to other consumers.
Business-to-Government- In this type of e-commerce, the business community interacts electronically with government agencies or public sector organizations. Submissions of GST returns, income tax, etc., all come within this category.
|What is Computer Security?||Computer Security is security applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, including the whole internet.|
An e-commerce business may be susceptible to the destruction and disclosure of confidential data, data transfer, transaction risks (while making online payments), or virus attacks. Possibilities of stealing credit card information are a real threat to e-commerce activity. To protect the customers against such threats and to ensure safe business transactions, certain information security provisions are used for e-commerce including encryption and decryption, digital signature, and firewalls. The security provisions in e-commerce have been designed to ensure the following:
(1) Integrity- Implies that the information sent by the user must not be tampered or altered.
(2) Privacy- Implies that the information provided by a user must be secured from other unknown users.
(3) Confidentiality- Implies that the information is accessible to only those persons who have been authorized to access it.
(4) Authentication- Implies that the sender and receiver of information must prove their identities to each another.
(5) Access Control- Implies that users access only those resources and services that they are entitled to access and that qualified users are not denied access to services that they legitimately expect to receive.
(6) Nonrepudiation- Prevention against any one party from reneging on an agreement after the fact.
Let’s now discuss some of the technologies that are used to ensure the security of transactions in e-commerce:
Encryption and Decryption:
Encryption and decryption are processes that ensure confidentiality so that only authorized persons can access the information. Encryption is the process of translating plain text data (plaintext) into random and mangled data (called ciphertext). Decryption is the reverse process of converting the ciphertext back to plaintext. Encryption and decryption are done by cryptography. In cryptography, a key is a piece of information (parameter) that determines the functional output of a cryptographic algorithm. Encryption is used to protect data in a communication system, for example, data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices, and bank automatic teller machines.
A signature on a legal, financial, or any other document authenticates the document. A photocopy of that document does not count. For computerized documents, the conditions that a signed document must hold are-
- The receiver is able to verify the sender (as claimed).
- The sender cannot later repudiate the contents of the message.
- The receiver cannot concoct the message himself.
A digital signature is used to sign a computerized document. The properties of a digital signature are the same as that of an ordinary signature on paper. Digital signatures are for a user to produce, but difficult for anyone else to forge. Digital signatures can be permanently tied to the content of the message being signed and then cannot be moved from one document to another, as such an attempt will be detectable.
A digital signature scheme is a type of asymmetric cryptography. Digital signatures use public-key cryptography, which employs two keys- private key and public key. The digital signature scheme typically consists of three algorithms-
- Key Generation Algorithm- The algorithm outputs a private key and a corresponding public key.
- Signing Algorithm- It takes a message + private key, as input, and, outputs a digital signature.
- Signature Verifying Algorithm- It takes message + public key + digital signature, as input, and, accepts or rejects digital signature.
It also ensures nonrepudiation. It means that no party or person can later deny that he never created such a document, which is digitally signed by him. In case, he claims that he did not create that document, it can be easily proved that he must have created the document (unless their private key was not stolen).
Secure Socket Layer (SSL):
SSL is a protocol that ensures that sensitive information can be transmitted safely online. It establishes an encrypted link between a Web server and a browser to ensure the security of the information that is exchanged between the two. Today, millions of websites use SSL to provide protection to their users.
PCI, SET, and Kerberos:
You can transmit sensitive information, such as that relating to your credit card, by using the SSL, protocol over a network. However, a hacker can still hack the server and access the information after the information is stored on a server. To guard against such a contingency, you should use the hardware called the Peripheral Component Interconnect (PCI).
Secure Electronic Transaction (SET) is a protocol developed by Visa and MasterCard. It ensures secure transactions over the Internet. SET uses encryption for privacy and digital certificates to verify the three parties i.e. the bank, the customer, and the merchant. Most importantly, the merchant cannot see the sensitive information as data is not stored on the merchant’s server.
Kerberos- It is an authentication method that is based on symmetric key cryptography, also known as private key cryptography. In symmetric key cryptography, different keys are used for encrypting and decrypting a message. Kerberos is a third-party authentication that validates the clients over the network and provides secure communication or access to network resources.
A firewall in computer terms protects your network from untrusted networks. The reason is simple: it’s a matter of survival! companies rely more and more on the internet to advertise their products and services. It has become necessary to protect data, transmissions, and transactions from any incidents, regardless if the cause is unintentional or by malicious acts. This firewall mechanism is used to protect your corporate network/Internet and/or Web Servers against unauthorized access coming from the Internet or even from inside a protected network. Basically, a firewall separates a protected network from an unprotected one, the Internet. It is an extra layer of security placed between an internal network or Intranet and the Internet. It protects one network, the secure corporate network, from another network, the supposedly insecure network. The secure network is referred to as the trusted network. The objective of the firewall is to control access to the trusted network. It allows only authorized data to enter the network. For example, a firewall helps in preventing unauthorized port entrance, denying all outsiders access to port 80, resulting in no one outside the organization accessing the HTTP server. All the other ports should also be secured from outsiders’ intrusion.
The following are the basic functions of a firewall-
- Protection from vulnerable service.
- Control access to the site system.
- Concentrated security.
- Enhance privacy.
- Logging and statistics on Network use and misuse.