E-Commerce

Internet It is a network that follows the TCP/IP protocol. –Transmission Control Protocol – handles communications between applications. A message is divided into pieces called packets. Packets are numbered and may be transmitted by different routes. –Internet Protocol – handles communications between network addresses. A computer on the internet is assigned an unique address, IP address, which consists of 4 numbers (each number is less than 256) separated by period. Example,

E-Commerce Buying and selling, and marketing and servicing of products and services, and information via computer networks.

CISCO Internet Value Matrix

The Four Quadrants New Fundamentals: These companies are taking the low risk road. They use the Internet as a new channel for doing old things, for example streamline operations, to achieve cost saving. Operational Excellence: Business in this section, are using the Internet technologies to improve management of customer services and for value innovation. Breakthrough strategies (Early Movers): These are the bold players venturing into new markets, new channels and new products. Their focus is on competitive advantage through new ways of managing relationships and doing business. Experimentation: These businesses want to become learning organizations. They are exploring the Internet and Intranet and funding small scale experiments. They experiment with new market segments, sources of revenue and ways of doing business but not in a way, which can compromise the main business activities.

E-Commerce Models B2C: Storefront model –E-tailing (electronic retailing) –Shopping cart, on-line shopping mall B2B: –Electronic Data Interchange (EDI) –Electronic Exchange: An electronic forum where manufacturers, suppliers, and competitors buy and sell goods. Example: WorldWide Retail Exchange (WWRE) C2C: –Auction model: e-Bay Etc.

B2C System Model

E-Payment Online credit card transaction: –Card-not-present transaction Prepaid card: –Visa Reloadable Prepaid card E-Wallet: Online wallets try to make Internet shopping easier by letting consumers register once to shop at multiple retail outlets. PayPal: –Click Merchants/demo

M-Business E-Business enabled by wireless communication. –Cell phone, PDA WI-FI: Wireless local area network (WLAN) based on the IEEE specifications. Hotspot: A person with a Wi-Fi device, such as a computer, cell telephone, or personal digital assistant (PDA) can connect to the Internet when in proximity of an Access Point. The region covered by one or several access points is called a hotspot.

Location Based Services Location-Identification Technologies: –Geocode: Longitude, latitude Global Positioning System (GPS) Cell phone –Angle of Arrival (AOA) Location Based Services: –B2E (Employee) –B2C

Internet Security Authenticity: Is the sender of a message who they claim to be? Privacy: Are the contents of a message secret and only known to the sender and receiver? Integrity: Have the contents of a message been modified during transmission? Nonrepudiation: Can the sender of a message deny that they actually sent the message?

Encryption (Cryptography) Plain text: the original message in human- readable form. Ciphertext:the encrypted message Encryption algorithm: the mathematical formula used to encrypt the plain text. Key: the secret key used to encrypt and decrypt a message.

Encryption Example Digits: 0-9, Encryptor: –Replace each digit by Mod(Digit + Key, 10) Key’s value is from 0 to 9 –If Key = 7, then: 0 -> 7, 1->8, 2->9, 3->0, 4->1, 5->2 Decryptor: –Replace each digit byMod(Digit + (10-Key), 10) –If key=7, then 7->0, 8->1, 9->2, 0->3

Encryption Algorithms Private key encryption –symmetric cryptography Public key encryption –asymmetric cryptography Digital signature Digital certificate

Private Key (secret Key) Encryption The same key is used by a sender (for encryption) and a receiver (for decryption) The key must be transmitted to the receiver. Example: –DES (Data Encryption Standard) algorithm with 56-bit key

Public Key Encryption Uses two different keys: a public and a private key. Receiver’s public key must be delivered in advance. Sender uses receiver’s public key to encrypt the message and receiver uses private key to decrypt the message (Sender can be sure the receiver is the true receiver) Example: –RSA (Rivest, Shamir, and Adelman) algorithm with 512-bit to 1024-bit key. Note: Although the two keys are mathematically related, deriving one from the other is “computationally infeasible”.

Digital Signature It is used for the authentication and nonrepudiation of senders by applying public key encryption in reverse, and ensures the integrity of the message. How digital signature works: –Sender: Create message digest: Hash(original message) Digital signature: Encrypt(Message digest, Sender’s private key) Encrypted message: Encrypt(Original message, Receiver’s public key) Send the hash function, digital signature, and the encrypted message to receiver. –Receiver: Use receiver’s private key to decrypt the encrypted message to reveal the original message. Use the sender’s public key to decrypt digital signature and reveal the message digest. Apply the hash function to the original message. If the hash value matches the message digest in the digital signature, the message is intact.

Certificate A certificate is a digital document issued by a trusted third-party certificate authority (CA). A certificate contains records such as a serial number, user’s name, owner’s public key, name of CA, etc. Example of CA: VeriSign, U.S. Postal Service.

Online Transaction Security Protocol Secure Sockets Layer (SSL) –Developed by Netscape –SSL implements public key technology using the RSA algorithm and digital certificate to authenticate the server in a transaction and protect private information.

1. A client sends a message to a server. 2. The server sends its digital certificate to the client for authentication (authenticate the server) 3. The client and server negotiate session keys to continue the transaction and use session keys and digital certificate for encryption.

Cookies Designed to hold information about a user. Created by a web site and saved on the visitor’s machine. It contains: –Web site that sets the cookie. –One or more pieces of data. –Expiration date for this cookie. Cookies directory: Browser sends cookie with the URL when you visit the site that issued the cookie.

Excel’s Security Use password to protect spreadsheet file: –Tools/Option/Security Password to open Password to modify Protect spreadsheet content: –Tools/Protection Protect sheet Allow user to edit range Hide data: –Format/Cells/Number/Custom Enter ;;; (three semicolons)

Database Security

Database Security: Protection of the data against accidental or intentional loss, destruction, or misuse Increased difficulty due to Internet access and client/server technologies

Threats to Data Security Accidental losses attributable to: –People Users: using another person’s means of access, viewing unauthorized data, introduction of viruses Programmers/Operators Database administrator: Inadequate security policy –Software failure DBMS: security mechanism, privilege Application software: program alteration –Hardware failure Theft and fraud Improper data access: –Loss of privacy (personal data) –Loss of confidentiality (corporate data) Loss of availability (through, e.g. sabotage)

Possible locations of data security threats

Countermeasures to Threats Authorization –Authentication Access controls: privileges Database views BackUp and Recovery Enforcing integrity rules Encryption –Symmetric encryption:use same key for encryption and decryption –Asymmetric encryption: Public key: for encryption Private key: decryption RAID

Authorization Rules Controls incorporated in the data management system  Restrict: –access to data –actions that people can take on data  Authorization matrix for: –Subjects –Objects –Actions –Constraints

Authorization matrix

SQL Injection "SQL Injection" is an unverified/unsanitized user input vulnerability, and the idea is to convince the application to run SQL code that was not intended. Exploits applications that use external input for database commands.

SQL Injection Demo On a web page that takes customer ID entered in a textbox as input, then displays the customer’s data. In the textbox, enter: ‘ OR 1=1 OR CID = ‘ SQLInjectionDemo Other SQL injection examples:

Demo Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strConn As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source = c:\salesDB.mdb" Dim objConn As New OleDbConnection(strConn) Dim strSQL As String = "select * from customer where cid = '" & TextBox1.Text & "'" Dim objComm As New OleDbCommand(strSQL, objConn) Try objConn.Open() Dim objDataReader As OleDbDataReader objDataReader = objComm.ExecuteReader() GridView1.DataSource = objDataReader GridView1.DataBind() Catch except As SystemException Response.Write(except.Message) End Try End Sub

Access security Database Password: –Must open the database exclusively In the File/Open window, click Open button’s dropdown list and select: Open Exclusive –Tools/Security/Set database password Tools/Security/Encode Decode User group/User level security