1

Chapter 6. NE Security, Trust and Payments

2

Chapter 6. Outline

1. Introduction2. The Link between Security, Trust

and Payments3. What is the Security Problem and

Where Do We Stand?4. Securing the Network5. Securing the End Points6. Protecting Intellectual Property7. NE Trust8. NE Payment options

3

6.2 The Link between Security, Trust & Payments

• Customers need to be assured that the vendor at the other end of the transaction is legitimate so…trust is a necessary precursor to successful e-commerce transactions.

• As part of creating that trust, NEOs need to use safe and efficient procedures and computer systems (security) to facilitate online transactions, especially regarding payments, for the full potential of NE to be realized.

4

6.3 What is the Security Problem and Where Do We Stand?

• NE Commerce must be:

1. Safe (physical security)

2. Secure from intentional violation

3. Secure from unintentional violation

4. Recoverable

5

6.3.1 Safe NE Systems

• Managers must guarantee that a disaster won’t paralyze the computer systems that make NE transactions possible.

• “Mean Time for Belly Up” (MTBU) calculates how long an organization can survive if its computer system goes down, typically estimated in days (Figure 6.1).

• Information-intensive firms are the most vulnerable, but even traditional firms cannot survive long without a continuous flow of information and data.

6Figure 6.1 MTBU for Two Firm Types

7

Disaster Planning• Companies must plan for situations in which data,

files and IT equipment are lost or destroyed.• As part of disaster planning, firms choose one of

3 main options for restoring the firm’s operations:– Cold sites: data & software– Hot sites: data, software, network connections– Distributed computing with excess capacity at

each distributed site• Recovery plans should also include plans for

potential problems with hardware, software, data, network connections, which personnel are responsible for these task and the procedures to address them.

8

6.3.2 Secure from Intentional Violations

• Attacks come from outside sources, seeking personal gain or malevolent mischief to use/obtain:– Trade secrets– Strategic information– Private data (passwords, I.D information)– Time sensitive information– Credit card information– Electronic funds transfer information

• NEOs must also be prepared for “unintentional violations” where data has been altered by accident.

9

6.3.4 Recoverable Systems

• Key to disaster planning are recoverable systems.

• For example, an individual might acquire an Internet-borne virus and find their data destroyed and their hardware unusable.

• The only way to address problems like this is for firms to have backup procedures in place that make it possible to restore operations within an hour or so of a disaster and with minimal loss of data.

10

6.4 Securing the Network

11

Vulnerabilities of NE Systems

• NE systems have two major vulnerabilities:

• 1. Transmissions can fall into the wrong hands – Solution: message encryption

• 2. Senders can falsify their identities: – Solution: use digital signatures verified

by certificate authorities to authenticate sender’s identities.

12

Encryption

• Encryption means scrambling a message so that its contents can’t be easily read.

• Encryption techniques uses an algorithm and a key, that work together, like a lock and its combination.

• Most encryption techniques use either substitution (replacing one thing with another) or transposition (moving message contents around).

• Key length is an important characteristic in encryption systems. – The longer the key, the more difficult the encryption is

to crack, just as a combination lock with a longer combination is more difficult to open.

13

Public Key Encryption (Figure 6.5)

• The Public Key Infrastructure (PKI) encryption scheme, used on the Internet, uses public key encryption. – This two key system uses one publicly distributed key for

encryption and a second, privately held (undistributed) key for decryption.

14Figure 6.5 How PKI Works

15

6.4.1 Digital Signatures• Digital signatures also use a form of public key

encryption, often used in conjunction with a trusted certification authority (CA) that verifies the authenticity of the sender (see Figure 6.6).

• First, the 1st party sends its digital signature and transactional information to the CA, often encrypted using a public key.

• The CA then authenticates this information and responds with a digital certificate that serves to assure the 2nd party of the transaction’s legitimacy.

• The digital certificate is then sent in an encrypted message along with other details from the sender.

• The 2nd party then opens this with their private key.

16Figure 6.6 Digital Signatures

17

6.4.2 SSL and SET• Secure Socket Layers and Secure Electronic

Transmission are two encryption protocols used for secure transmissions over the Internet.

• SSL software is built into browsers. – SSL-based sessions use a form of private key encryption

using a key that has been created for that session only. • Transmissions sent using SSL are further secured using digital

signatures.

• SET is a more advanced protocol used by a consortium of credit card companies including Visa and MasterCard. – A key feature of SET is that credit card numbers are

scrambled so that vendors never actually see the real card number.

18

6.5 Securing the End Points• Transmissions end points are the weakest links in

security in NESs since clients and servers are vulnerable to intrusions such as viruses and worms, or attempts by hackers to penetrate the system.

• “Firewalls” can be set up to control access to an organization’s computers, listing which operations are permitted by which users to ensure messages and requests are legitimate.

• Figure 6.8 illustrates graphically how a firewall with virus protection software might be used to block incoming packets containing viruses sent by an outsider.

19Fig. 6.8 Firewalls to Secure the end Points

20

6.6.1 Copyrights/Patents• Copyrights are legal rights to exclusivity issued by

governments to ensure that creators of intellectual property, such as software, Web pages, etc., can get a return on the investment from their products.

• Likewise, patents are exclusivity rights issued by governments for new inventions to legally protect their inventors’ intellectual property.

• In both cases, successful litigation for a security breach can be a form of security protection.

6.6 Protecting Intellectual Property

21

6.6.2 Trademarks and Digital Watermarks

• Trademarks are labels that legally protect the “name” of a product or service, and in the US are indicated by ™ following the name.

• Unlike watermarks on paper, Digital Watermarks are bits embedded in a file that uniquely identifies the product and are meant to be hidden from potential thieves (see Figure 6.7).

• Only when the owner-key to the bits is presented can the identifying bits be unveiled.

• For example, by copyrighting and then placing digital watermarks on a photo gallery sold for one-time use, a firm ensures that it can sue successfully.

22

Figure 6.7 Bits Placed in Innocuous Locations in File to Serve as Digital Watermark

23

6.7 NE Trust• The ability to protect a customer’s vital

information is crucial to creating customer trust, especially for an online business.

• Customers tend to trust an online vendor if: – 1. The vendor’s promises can be relied on– 2. The vendor stands by their products and

services– 3. Customers feel they are being treated fairly– 4. The vendors are consistent and predictable

over time.

24

6.7.1 NE Trust-Building Mechanisms

FOUR ways to increase trust online:1. The customer must believes in the vendor’s

‘ability’ to secure the ‘integrity’ of the transaction itself.

2. 3rd Party guarantors provide an alternative to do this since they can confirm that a vendor is complying with established privacy standards.

3. Another key is responsiveness – NE organizations must have human or automated quick response mechanisms in place to avoid losing trust

4. NESs need to create some kind of “social presence”.

25

Figure 6.8 Verisign’s Home Page – Example of a

Third Party Guarantor

Empirical research

shows 3rd party

transaction guarantors,

e.g., www.Verisign.com,

that offer alternative ways for a vendor to demonstrate its security,

are instrumental in increasing trust levels in customers.

26

6.7.2 Creating Social Presence in a Web-site

• Trust in an NE Website may be built through the perception that friendly human contact (social presence) is part of the medium.

• This can be achieved by ‘embedding’ a sense of this contact in the site such as photos of sales reps and technical support staff, creating a welcoming feeling.

• Multimedia can be even more effective.• Personalization is another way to humanize a

site.

27

Trust is Established over Time by:

• A trustworthy track record of previous behavior

• Showing a willingness to invest in a long-term relationship

• Investing beyond what was required by the initial contract

• Cooperativeness• Staying in touch• Not demonstrating opportunistic behavior

28

6.7.3 NE Trust as a Temporary Problem?

• Familiarity with the technological innovations of e-Commerce may reduce anxieties about NE transactions over time.

• Nevertheless, NE firms will need to continually monitor their security procedures. – If not, their partners/customers may soon cease to trust

them.

29

6.7.4 Additional Aspects of Trust in an Online Environment

• High-profile branding can be used to increase trust.

• NEOs can build on brand recognition to generate trust by taking advantage of :– their widely recognized logos – animate these to make them more memorable and – create a unique Web environment

• Live chat with sales reps, despite being more labor intensive than purely machine responses, is still more efficient than face-to-face or phone exchanges and also maintains a social presence.

30

6.8 NE Payment Options

• The following payment options are available for online purchases:

1. EFT

2. Credit cards

3. Debit cards

4. e-Cash

5. Online Transfers

31Figure 6.10 EFT and EDI Transactions

32

Online Transfers at Financial Websites

• At NE securities markets that rely on Online Public Transfers, such as Fidelity.com, a customer logs on to a secured SSL link.

• A “Security Alert” dialogue box appears as well as the protocol used to access the Web page from the Fidelity server (https)

• Once the user clicks “OK”, the URL will begin an SSL session using https.

33

6.8.6 Security and Payments

• Payment schemes are only as good as their security levels.

• EFT is probably the most secure as it is a proprietary networked solution, and banks are generally more security conscious than other businesses.

• Table 6.2 shows the relative security of each payment option.

34

Table 6.2 Security of NE Schemes

• EFT– Typical Security: PKE transmissions over dedicated

leased lines between banks or financial institutions– Pros and Cons: Highly secure, but limited in ease of

participation by its closed proprietary nature

• Credit Cards– Typical Security: PKI-encrypted transmittal of card

numbers; SET hides numbers from retailers; SSL does not– Pros and Cons: Regulatory environment can offer

customers protections that will include usage of online sites; lack of of such an environment will inhibit commercial development

35

Table 6.2 Security of NE Schemes

• Debit Cards– Typical Security: PKI-encrypted transmittal of card numbers; SET

hides numbers from retailers; SSL does not

– Pros and Cons: Highly secure, but limited in ease of participation by its closed proprietary nature

• E-Cash– Typical Security: most secure environments use PKI-encrypted digital

signatures; the least secured, password-protection

– Pros and Cons: ease-of-use, once installed, and allows for micropayments; lacking automatic deposit or transference requires some user sophistication needed to transfer funds into e-account

• Online Public Transfers– Typical Security: most secure environments use PKI-encrypted digital

signatures; the least secured, password-protection

36

End of Chapter 6