As the internet expands and grows, the use of e-commerce applications for purchasing goods and services will also increase. Security is a major concern that must be addressed before real adoption of using the internet for shopping, and purchasing goods. SET or Secure Electronic Transactions is an open protocol which was jointly developed by Visa and MasterCard, in conjunction with many leading computer vendors such as IBM in 1996. The SET open standard is used for protecting the privacy, and ensuring the authenticity of electronic transactions over the internet (Reilly, n.d.). However, SET was never really adopted at any substantial level, because of a number of reasons which included:
- Clients needed to install a digital wallet or e-wallet
- Cost and complexity for banks and merchants to offer cupport of this standard vs the relatively low cost of existing SSL based alternatives
- Distribution logistics of certificates to clients.
- digital wallets / e-wallets
- digital certificates
- digital signatures
- symmetric encrytion (DES) Data Encryption Standard
- asymmetric, or public key encryption - RSA 128 bit Encryption
1. The cardholder goes to a merchant's web site and selects the items he or she wants to purchase. The cardholder then clicks on the checkout button or its equivalent.
2. This triggers wallet software to be invoked on the cardholder's PC. The software presents several credit cards which the cardholder possesses, and one is chosen. The wallet software also receives the digital certificates of two entities: the merchant and the acquiring bank (also called a payment gateway). These two certificates are validated by traversing the hierarchy of trust, through messages sent on the Internet to all the entities on the trust chain.
3. The wallet software then generates a message containing two parts: the order information and the payment information. The order information contains information confirming the order, whereas the payment information contains the card number and the amount. The payment information is encrypted using a random symmetric key, which, in turn, is encrypted with the payment gateway's public key, so that only the payment gateway can decrypt it. In other words, the merchant will never know the details of the card number of its customer. This data is sent automatically to the merchant's web site.
4. The merchant's computer will first validate the cardholder's digital certificate. Then it will send the payment information to the payment gateway (which is the acquiring bank's computer).
5. The payment gateway will verify the digital certificates of both the merchant and the card holder and decrypt the message to access the card number and the amount.
6. Then the payment gateway will interface with the legacy systems of the acquiring bank to send the transaction to the card brand, which will then send it to the issuing bank for authorization.
7. This authorization response is then encrypted in the usual fashion and sent to the merchant, who, in turn, will validate the message and store the response. Then the merchant will arrange to ship the goods.
A more detailed article about SET can be found on ISACA.org by Ganesh Ramakrishnan
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=21545&TEMPLATE=/ContentManagement/ContentDisplay.cfm
The most well known public key encryption system is RSA. RSA stands for Rivest, Shamir and Adleman who first publically described it (Wikipedia, 2010). RSA is widely used in electronic commerce protocols and is the first algorithm to be known suitable for signing as well as encryption (Wikipedia, 2010)
RSA uses a key length of 3072 bits which is the equivalent to 128 bit symmetric key. According to Wikipedia, this key size should sufficient till around 2030 before it isn't as resistant to cracking the key.
SET uses RSA however the majority of bulk encryption is accomplished in DES, and RSA is mainly used for signatures and public-key encryption of data encryption keys and bankcard numbers (RSA, 2010)
More information can be found in regards to DES and RSA on Cryptography World Cryptography Guide (http://www.cryptographyworld.com/algo.htm)
2. What can you find out about network and host-based intrusion detection systems?
First we must define what is an intrusion detection system. An IDS is a device (or application) that monitors network and/or system activities for malicious or suspicious activity, and alerts the systems administrator accordingly. There are two main types of IDS's which are network and host based. (Wikipedia, 2010)
Network IDS, are placed in certain points of a network such as the entry and exit points of the DMZ so that it can monitor incoming and outgoing traffic on a network and to look for suspicious activity.
NIDS usually employ a sophisticated algorithm that examines each and every packet in realtime to determine if it meets any of the criteria for "malicious" or "suspicious" activity. If it finds out that the packet or sequence of packets meets certain criteria an alert is raised and sent to the system administrator.
Host Based IDS acts similar manner as NIDS, but is only located on the individual host, and can only monitor that host. Usual items that can be monitor include failed login attempts to the machine, network traffic coming in and out of the machine, monitor administrator tasks on the machine.
All intrusion detection systems use one of 2 detection techniques: either statistical anomaly based, or signature based (Wikipedia, 2010).
Statistical anomaly based IDS - A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered
Signature-based IDS - Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats
3. What is phishing?
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication (Wikipedia, 2010). Phishing is typically carried out by email or instant messaging. Phishing is an example of social engineering techniques used to fool users, and exploit the poor usability of web security technologies.
Many banks the world over and australia have been subject to this and their customers. Here is an article detailing what scammers do when phishing.
http://www.zdnet.com.au/latest-phishing-scam-most-devious-ever-139116416.htm?omnRef=http%3A%2F%2Fwww.google.com.au%2Fsearch%3Fq%3Dphishing%2Bwestpac%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-GB%3Aofficial%26client%3Dfirefox-a
4. What is SET and how does it compare to SSL as a platform for secure electronic transactions? Is SET in common use?
As already mentioned in question 1, SET or Secure Electronic Transactions is an open protocol which was jointly developed by Visa and MasterCard, in conjunction with many leading computer vendors such as IBM in 1996. The SET open standard is used for protecting the privacy, and ensuring the authenticity of electronic transactions over the internet, through the use of digital wallets, certificates and signatures, and use of DES and RSA 128bit encryption.
SSL or Secure Sockets Layer is a protocol that provides security for communications over the Internet. The protocol itself sits in the OSI model between the network and application layers. It is a transparent protocol meaning it is invisble to the client but can be used by any TCP based application.
Both these protocols are used to encrypt and protect information being sent across the internet. However SSL is more adopted and common practice for companies to use as it is relatively easy to setup and its far less complex and cost effective than SET. SET is more secure than SSL as it has additional safeguards added to ensure data is fully secure.
SET is not really in common use due to the complexity and costs involved, but however with the rise of financial crimes and the lower security of SSL. SET could become a factor in the near future due to its additional safeguards making financial transactions more secure.
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Cookies are text files stored locally on a user machine by the web browser when sent from a web server. They consist of one or more name-value pairs containing information which may be encrypted
i.e. NAME = "David Mckay", LOCATION = "SYDNEY"
There are 2 basic types of cookies: persistent and nonpersistent. Persistent cookies are stored locally on a clients machine so that it can be used across different sessions. Nonpersistent cookies are not stored locally and can be only used in the same session and never again.
Cookies are usually used for storing authentication, session tracking, site preferences, cart contents etc for the website visited so that when a user comes back to the website this can be automatically loaded.
Security is not necessarily improved with the use of cookies as these can be manipulated and changed threatening authentication. So the use of storing usernames and passwords should be avoided.
Cookies do not act maliciously on a computer system, they are not viruses and cannot access you hard drive. However, cookies can pose a security risk in terms of a user's privacy and anonymity on the internet (Wikipedia, 2010).
6. What makes a firewall a good security investment? Access the internet, find two or three firewall vendors. Do they provide hardware, software or both?
A firewall is a part of a computer system or network that is designed to block unauthorised access while permitting authorised communications. This device allows greater control and monitors all inbound and outbound traffic on a network.
Why a firewall is a good security investment is that it stops unwanted intrusions from coming into your network. Its makes logical sense similar to you not wanting strangers just walking through the front door of your house.
Firewalls are very much common practice in nearly all organisations as this protects very sensitive and confidential equipment and data from being accessed externally.
Some of the vendors which provide firewall include CISCO, and Norton. These 2 vendors are quite different in that CISCO provides hardware based firewalls, where as norton is a software based company provides security products that include software based firewalls.
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
According to Nielson (n.d.) "trust is hard to build - and easy to lose", this holds very true when it comes to e-commerce sites. In order to build trust of an e-commerce site there are a few Nielson mentions that can be done in order to build rapport and a sense of trust between the consumer and the site.
1. Make sure security is up to date with the latest technologies. Use of SSL or SET
2. Respect their privacy on the internet by not trying to make your customers give you sensitive information when they really dont have too.
3. Have reputable brands and companies mentioned on the site
4. Have a good refund and returns policy
5. Have a professional looking and friendly website
6. Have contact information and information about the company on the site
7. Display testimonals on the site
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
PGP or Pretty Good Privacy is a computer program that provides cryptography privacy and authentication. PGP is often used for signing, encrypting and decrypting email to increase the security of email communications.
PGP uses a serial combination of hashing, compression, symmetric cryptography and assymmetric cryptography.
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
Some of the ones banks are putting in place are 2nd factor authentication methods such as RSA token key or via SMS tokens sent when logging into a banking website or undertaking a transaction on the website.
No comments:
Post a Comment