1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.
Secure Electronic Transaction (SET) is a standard specification for protection of credit card transactions in open networks (e.g. Internet). It was started 1996 by two big credit card providers who are Master card and Visa card and then others companies participated in. It is not a payment method, but a set of protocols that allows users to employ existing credit card payment infrastructure in a secure fashion (Stallings, 2002).
RSA is a public key cryptography system which is invented in 1977 by three MIT professors. it can be used for digital signing, signature verification ("RSA Algorithm", n.d) and sending data over an insecure channel (Ince, 2004).
2. What can you find out about network and host-based intrusion detection systems?
Most intrusion detection system (IDS) were used to either detect or defelect attackes and there were two approaches in developing IDSs. IDSs help a system recognising that it is being attacked based on attack signatures and specific patterns. While network IDS looks for patterns of the network traffic to realize attacks, host-based IDS will scan log files for attack signatures. Both of them has strengths and weaknesses, so it is better to use both of them in developing an effective IDS ("Network- vs. Host-based Intrusion Detection: A Guide to Intrusion Detection Technology", 1998).
3. What is 'phishing'?
Webopedia(2010) states that :"The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information".
4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?
Ince (2004) said “SET is a protocol which is used for sending credit card information over the internet”. In one transaction there are three parties which are buyer, seller and the bank involved. When a purchase is made, the buy sent his credit card details which are encrypted using the private key to the seller. The seller’s server then attaches its digital signature and submits that bunch of data (encrypted credit-card details of buyer and seller’s digital signature) to the bank’s computer. This computer will validate the credit card and send receipts to both the buyer and the seller. Therefore the seller cannot access the buyer’s credit-card information and the bank does not care what customer bought . One major advantage of SET technology is eliminating large numbers of fraud transactions related to credit cards (Ince, 2004).
Secure Socket Layer(SSL),based on cryptography, is the most popular technology used in e-commerce security(Ince, 2004). SSL ensure that a trusted channel has been established before a transaction occurred between server and client. First SSL server allows the client to confirm the identity of the server by validating the server’s digital signature. Although client authentication is not use in common, the server can validate client in a similar way of the client validate the server as well. SSL uses different symmetric encryption techniques to exchange data between server and client (Ince, 2004).
Although SET is more secured to the customer than SSL because the merchant cannot access customer’s credit card details, SSL is more popular because it is simpler. In order to make a purchase only two parties are involved (buyer and seller), unlike SET requires three ( buyer, seller and the bank ).
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Cookie or browser cookie is a text file stored by the client’s web browser. It is used for authentication, session tracking (state maintenance), store site preferences, shopping cart contents etc.
Data stored in the cookies is encrypted for information privacy and data security purpose ("HTTP cookie", 2010). When a client makes Http requests to a server, it is usually required that the cookies stored on the client to be sent with the Http request so that the server could determined this client is authenticated to access the server's resources.
Cookies are not executable files therefore they cannot replicate themselves and are not considered as viruses. However, Cookies can be use as spyware because they can track people (anti-spyware alerts). Based on cookies, hackers can build a user’s preferences. This action violate the privacy of users("HTTP cookie", 2010).
6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?
A Firewall is an extra layer of protection which surrounds a network or an application. A firewall could be a hardware device or software application which is placed between your network and the Internet. It is able to filter both incoming and outcomming mesages(Ince, 2004). Therefore, a firewall can prevent un-authorised users to access your private network.
Having your network protected by a firewall is a good security investment in order to protect your network from hackers or viruses.
A firewall vendor can provide both hardware and software firewall (e.g. Cisco) or hardware firewall (e.g. Netgear) only. There are also plenty of vendor who provide firewall software only such as SunSoft, Netguard...
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
One of the most difficult things of e-commerce websites is to create trust among their customers. Becasue of customer's worry in losing their personal information and financial details(e.g credit card details), an imporant factor in building trust, with both customers and partners, is the assurance that the e-commerce operation meets the demanding security standards required of organizations handling sensitive financial information. Ince(2004) suggests a series of requirements for secure e-commrece:
i) Authentication
This means that customers are able to ensure that they are in fact doing business and sending private information with a real identity.
ii) Confidentiality
Information such as credit card and transaction details, which are stored on a system or tranfered on the Internet. must be not accessed by unauthorised parties.
iii) Data integrity
Only authorised parties are able to change data and data cannot be tampered when transmit on the Internet.
iv) Nonrepudiation
Both the sender and receiver of a transaction can not deny that a transaction did not occur
Digital certificate, email confirmation, and online enquiry could help customers to verify that the security measure are taken in an e-commerce environment.
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
According to Wikipedia(2010), "Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was created by Philip Zimmermann in 1991".
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
Other tools can be used for validating legitimate users are USB smart cards, smart cards, one time password, PKI authentication etc. These tools can be used together to create a strong authentication.
Reference
"HTTP cookie".(2010).viewed 12 May 2010 from http://en.wikipedia.org/wiki/HTTP_cookie
"Network- vs. Host-based Intrusion Detection: A Guide to Intrusion Detection Technology".(1998).Retreived 08 May 2010 from http://documents.iss.net/whitepapers/nvh_ids.pdf
Ince, D. (2004). Developing distributed and e-commerce applications (2nd Ed.), Harlow, Essex, UK: Addison – Wesley
"Pretty Good Privacy".(2010). Viewed 12 May 2010 from http://en.wikipedia.org/wiki/Pretty_Good_Privacy
"RSA Algorithm".(n.d).viewd 12 May 2010 from http://www.di-mgt.com.au/rsa_alg.html
Stallings, W.(2002).Introduction to Secure Electronic Transaction (SET).
viewed 12 May 2010 from http://www.informit.com/articles/article.aspx?p=26857
"Understanding and Using Firewalls".(2004). Viewed 08 May 2010 from http://www.bleepingcomputer.com/tutorials/tutorial60.html
Webopedia.(2010)."All about Phising".Viewed 09 May 20101 from http://www.webopedia.com/DidYouKnow/Internet/2005/phishing.asp
Wang, M.(2003).Assessment of E-Service Quality via E- Satisfaction in E-commerce Globalization. Retrieved 09 May 2010 from http://www.ejisdc.org/ojs2/index.php/ejisdc/article/viewFile/68/68
Zirkle, L.(2008).Intrusion Detection FAQ: What is host-based intrusion detection?. Viewed 05 May 2010 from http://www.sans.org/security-resources/idfaq/host_based.php
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment