electronic commerce Marilyn Greenstein Miklos Vasarhelyi

electronic commerce Marilyn Greenstein Miklos Vasarhelyi
Second edition Marilyn Greenstein Miklos Vasarhelyi

Table Of Contents 1.Overview of Electronic Commerce 5 2. The Electronization of Business 26 3. B2B Process and Strategies 4. Electronic Commerce and the Role of Independent Third-Parties 5. The Regulatory Environment 159 6. EDI, Electronic Commerce and the Internet 7. Risks of Insecure Systems 7. Risks of Insecure Systems 222

8. Risk Management 9. Internet Security Standards 10. Cryptography & Authentication 11. Firewalls 12. Electronic Commerce Payment Mediums 392 13. Intelligent Agents 14. Web-Based Marketing

Chapter 1 Overview of Electronic Commerce

Overview of Electronic Commerce
Defined Potential Benefits Enablers Effects on Business Models Security Textbook Organization of Topics Implications for the Accounting Profession

What is electronic commerce?
The use of electronic mediums (telecommunications) to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.

How is electronic commerce different from electronic business?
Electronic Commerce is a subset of electronic business. Electronic business also includes the exchange of information not directly related to the actual buying and selling of goods and services.

Why should a business engage in electronic commerce?
Potential Benefits include: Saving money and resources Reaching more business partners Reaching geographically dispersed customers Reducing procurement costs Reducing costs of purchases Reducing inventory Improving cycle times Improving customer service, and Reducing sales and marketing costs

How can procurement costs be reduced?
Procurement costs can be lowered by Electronic Data Interchange: Consolidating purchases Developing relationships with key suppliers Negotiating volume discounts Better integrating the manufacturing processes Procurement Costs can be lowered further by Internet commerce: Increasing the ability to reach and transact with new partners Decreasing data transmission costs

How can inventory costs be reduced?
Inventory costs can be lowered by savings in: Storage Costs Handling Costs Insurance Costs Administrative Costs Reduction in cycle time because of shared design specifications Reduced fixed overhead costs assigned to each unit Most of these cost reductions result from greater collaboration and information sharing between business partners.

How is customer service improved?
Customers note benefits to include: Increased Choice of Vendors Convenience for shopping from home or work Greater amounts of information on demand More competitive prices and increased price comparison capabilities Greater customization in the delivery of service Easy ways to check on order status Hassle-free return procedures

What is the Internet and the WWW?
Internet is a network of networks = the backbone 1969 Leonard Keinrock’s packet switching theory Internet emerged because of the following three forces Powerful and inexpensive technologies Availability of telecommunications Spread of digital information In 1990 Tim Berners-Lee developed the capabilities that are now described as the World Wide Web (WWW) portion of the Internet which allows: Hypertext linking Software Portability Network and Socket Programming. Karl Salnoske, IBM, 1998

Is doing business on the Internet a strategic business issue or a technical issue?
Because electronic commerce requires industry process reengineering, doing business successfully on the Internet involves rethinking our business strategies so that Internet activities are closely tied to business goals. It is more than a new technology.

Air Products E-Business Initiatives
Value-Added Marketing Selling New Channels Procurement Becoming a Knowledge Leader Storefronts on B2B Portals

Traditional Value Chain
Figure 1-5 Traditional Value Chain Inbound Purchases and Logistics Production Outbound Logistics Supplier Customer

Figure 1-6 The new value chain
Sales and Marketing CUSTOMER Information system Inbound Production Outbound Service CRM

Figure 1-7 The expanded ICDT model
Virtual Information Space Communication Transaction Distribution Market LEGAL AND SELF-REGULATORY ENVIRONMENT Taxes Privacy Adapted from Angehrn, 1997

ICDT Business Strategy Model
Internet Information: Is it accurate, current, only available to authorized parties, easy to find, and accessible without wait? Internet Communication: Are you building a consistent experience, relationship and trust? Is it secure and private? Internet Distribution: Are you only delivering to authorized parties in a reliable fashion? Internet Transactions: Are they secure, accurate, with integrity, reliable, from reputable partners, and private?

EXISTING MARKET SPACE OPEN PROCESSES
Figure 1-8 Three pillars of electronic commerce EXISTING MARKET SPACE OPEN PROCESSES ELECTRONIC INFORMATION RELATIONSHIPS TRANSACTIONS Source: Peter Fingar, 1998

Electronic Relationships
To attract repeat visitors away from competitors, your site must: Be innovative. Add value. Provide information and interaction not otherwise available. Create forums for opinion-building activities Peter Fingar, 1998 Integrity are the agreed upon elements - correctly and accurately capturing all of the necessary information the processing and storage procedures do not allow the altering of the data The transacting parties are authenticated - that the parties are who they say they are The electronic data are protected from unauthorized disclosure

What security breaches are most common for web-based companies?
Virus and malicious code infections Abuse of computer access controls Physical theft, sabotage, destruction Denial of Service Attacks on bugs in Web Servers Attacks related to insecure passwords Electronic theft, sabotage, destruction Fraud

What security breaches are most common for ERP-using companies?
Revenue loss Information loss Data integrity loss Theft of trade secrets or data Infection with a computer virus Manipulation of internal systems Your entire system is only as strong as the weakest link in the chain!

Accounting Professionals
Implications for Accounting Professionals Electronic commerce causes changes in business’: Value chain: customer is new focus Ways to do business: strategies New business partners: suppliers and customers Accounting Professionals must adapt their: Methods and Technology used for assurance functions: systems reliability and integrity Transaction analysis to be in real-time Train themselves in the new technologies

Chapter 2 Electronization of Business

Overview Electronization of Business
Principles and Axioms Effects on Business Management Issues New Paradigms and Metaphors The Theory of Electronization E-Business Methods and Tools New Business Models, Processes and Tools Industries and Their Continuing Evolution Implications for the Accounting Profession

Electronization of Business Advertising Pre-sale care Sale Delivery
Payment Accounting E-care Auditing Web advertising Customization Banners Voice Reply Auto Responder Web-based E-Catalog Shopping Carts Credit card E-cash Micropayments Continuous Integrity Reliability Bitable Non-bitable Automatic Confirmation Inventory Manufacturing Tracking B2B Purchasing Open EDI Extranets Consortia Tech support Lead Follows Help desk Purchasing Marketing Individual targeting Virtual communities Customer party lines Logistics Finance E-banking E-hedging E-Trading Human Resources

Electronization of Business: Changes to the Value Chain
Major changes include: Deconstruction Metamarkets Disintermediation Reintermediation Industry Morphing Cannibalization Technointensification Rechanneling

Figure 2-1 The interorganizational value chain
Buyer Value Chain Supplier Channel Value Chain Firm Value Chain value chain Shared Intranets Intranet Internet Upstream Firm Downstream value value value

Figure 2-2 Leaping over links in the value chain with Extranets
Channel Value Chain Buyer Value Chain Firm Value Chain Supplier Value Chain Shared Extranet Intranet Internet Intranets Upstream value Firm Value Downstream Value

What is the Internal Value Chain?
Passing value from inputs (materials, patents, services, etc.) to customers Involves all aspects of a business: R&D, production planning, production, financing, accounting, auditing, etc. Customer’s define value from their experience of working with your company - more than just your product or service.

What are Bitable Goods? Goods able to be transmitted over telecommunication channels also called digital inventory or service Most common bitable goods: Financial products Software Music Videos Information

What are E-Commodities?
Goods able to be purchased without being sensed or tried on by the consumer. Non-e-commodity goods/services may become e-commodities due to factors such as: Reputation of the vendor, Experience by the consumer, Distance from the source Availability of the good Ability to “try it” digitally online (like music).

What is Deconstruction?
Methodological, progressive outsourcing or alliancing-out of internal processes Allows sharing of proceeds without having to dedicate substantive resources Can create meta-markets: Customer does not see/care that it is a network of organizations providing the product/service to them.

What are Disintermediation and Reintermediation?
Disintermediation: elimination of middle functions that do not add incremental value once the new technology is being used: Travel or insurance agents Securities brokers Pharmacists Reintermediation: new markets or brokerages that evolve from the new technology Infomediaries such as eBay, CDNow, Amazon These situations create some interesting revenue recognition questions.

What is Industry Morphing?
Deconstructing and reconstructing value propositions: taking pieces and re-bundling them into new opportunities. Examples: GE and Intuit Cannibalization: Permanent replacement Examples: Telephony, securities trading, banking Channel Conflict: the tug-of-war of sales between alternative channels you offer your customers: which channel has preference?

What is meant by Technointensification?
Businesses are Increasing their use of technology Increasing their capitalization of IT resources Decreasing their use of human resources Relying more often and extensively on 3rd parties for IT resources Hiring and training more people in IT functions Producing items with a higher value per pound Executing processes more rapidly and efficiently Providing availability Risking highly vulnerable downtime

What is Rechanneling? Changing the focus on internal processes, products or services in order to optimize the expected cash inflows: Chassis shop also a welding shop Book stores using both physical and online storefronts to compete in new ways

Figure 2-3 Breaking up the value contents
One traditional product Outsourcing Alliances Competitors Info Product Financing Logistic R&D Into many new products Manufacturing

E-Business Evolutionary Stages
From Lowest to Highest Level of Evolution: Having a Web Presence Information only Basic Functionality Allows contact with organization and scripting Functional Connected to Web-server database with active Web pages Competent Involves extranets with partners, and practices individualized marketing, utilizes knowledge-based tools

How is E-Business Changing Traditional Business?
Globalization of markets One-to-one marketing Customization of site and product Integration of systems with clients New forms of E-Service UPS setting up new computers Commoditization of products Low margins and brand differentiations

How is E-Business Changing Business Processes?
Increased pre-and post- sale care of customers Increased use of databases and user interfaces Flatter organizational structures Development and use of customer profiles Increased reliance on cooperation software Faster product-to-market strategies Increased reliance on third parties Faster turnaround of cash flows

Successful Dot.coms’ List of Do’s
Avoid excessive promotional expenditures Outsource processes when no/little internal expertise Consider long run tradeoff between high startup costs and low incremental costs Pay close attention to Supply and Demand forces and laws Plan for progressive increases in cash flows and earnings to position your company for growth. Do not value your company by price/earnings ratios Utilize well-known, competent management Realize that funding is becoming more competitive

Three examples of the E-Business paradigm shift
Victoria’s Secret Online fashion shows and the Super Bowl Financial Instrument Brokerage Industry More individual investors More online brokerages New bundling of products and services The Wellness Industry Online pharmacies, wellness sites, disease portals, pharmaceutical sites, B2B medical provisioning sites Disintermediation of pharmacists, democratization of medicine due to information sharing, e-Diagnostics, internationalization of medicine, doctor comparison and recommendation.

Figure 2-7 The new health care value chain for pharmaceuticals
Research Logistics Marketing Strategy Others Product tailoring Personalized websites and marketing Bypassing doctors, pharmacies, HMO’s Nation-level products Buying research Changing Value chain Joint sourcing Buying up pharmacies, distributors, HMO’s Supplying metamarkets Joint products Int’l price equalization Disease erradication monitoring Implanted devices Expert systems Outsourcing Continuous monitored trials DNA mapping Transparent Telemetering for trials Global Outsourcing Product Tracking Modular manufacturing Supplier-managed inventory Joint projects with competitors

What are the effects of the electronization of business processes?
Creating products and services that are: Faster, Cheaper, and Better Reinventing Marketing and Advertising eCare is at the core of making electronization successful for a business

What can modern Banner Advertisements do?
Determine the geographic location of the target (e.g., mobile opportunities) Link products with recent purchases Link target with other people in a social network Explore complex events (weddings, etc.)

What is involved in E-Care Services?
An intelligent combination of , Web-based support, and telephone support Goal: to be more effective and more efficient than traditional marketing and relationship management techniques.

New E-Business Principles
Information is abundant, eyeballs are limited New paradigms exist: Examples: Giving away goods/services, not protecting software against privacy invasions, paying for users and site visitors. Your customers and suppliers are also your competitors and allies. Entire product cycles can be created without the ownership of inventory or production capacity. Pricing models are changing and flexible.

Figure 2-9 Three key success factors for E-Businesses
Technology: The World Wide Web Facilitating Services: Delivery, Escrow, Price Comparisons Business Model: E-Catalog, Auctions, Name your price

What are the new B2B E-Business models?
E-Catalogs Auction Models where the products and values are not standardized Commodity Auctions where the products and values are more homogeneous Most common phenomena: disintermediation, reintermediation, and cannibalization

What are the new B2B E-Business Tools?
E-Catalogs Tracking of Shipments Inventory Management and Joint Provisioning Database Marketing Allows for timely, geographic, customer focus. Data Warehousing and Data Mining Profiling Continuous Reporting Continuous Auditing: Webtrust, Systrust

What are E-Catalogs? One resource presents many products and prices to buyers Can link many organizations on one list Can manage flexible/variable pricing and promotions Database features include: Data categorization, parameterization, collection, normalization, and cleansing; high-volume scanning and image processing; custom designing; dynamic printed output; preprogrammed query capabilities; buying suggesting models; incomplete information search algorithms and filtering Examples: a21.com, Cohera.com

Where can we find data mining and data warehousing in use?
Credit card companies for approvals Supermarkets for inventory management E-Tailers for suggestions for complimentary product purchases Mobile Commerce Advertisements for routing of consumer’s activities. Buy gas around the corner and get 15% off

What is Profiling? Profiling: evaluating complex data trends to create stereotypes for marketing or pricing strategies Amazon’s jaboom.com Land’s End’s virtual model

What is Fragmentation? Fragmentation refers to the loss of information due to disconnected profiling efforts Many companies are interested in sharing data to learn about market opportunities Societal reduction of fragmentation may create serious privacy concerns

What is continuous reporting?
Continuous reporting is the real-time disclosure of transaction data. It is possible because of: Interconnectivity of processes Use of Enterprise Resource Planning (ERP) systems Evolution of user interfaces connected to the Internet and corporate databases. Statutory protection of stockholders from misleading financial disclosures motivate many businesses to disclose non-financial rather than financial measures on their web sites.

What are the new E-Business models?
E-Business models are distinguished by their value proposition (product/service), their source(s) of revenue, and their costs structures. Three new models (and examples thereof) are: Auctions – eBay Reverse Auctions – Priceline Buyers Club – mercata.com

What are E-Business revenue sources?
The most common sources of revenue include: Sales made on the Internet Advertising fees Subscription fees Transaction fees

Which business processes are most affected by E-Business?
Six business processes significantly affected by E-Business are: Marketing and Advertising Production and Logistics E-Care (Customer Services) Finance Human Resources Research and Development

How are Marketing and Advertising changed?
More one-to-one marketing strategies Mining and Profiling, targeted banners, personalized sites, suggestion models, m-Commerce promotions Emphasizing Brand Variable pricing Affiliation agreements New bundling Customizing Web presences Customizing products, Adding information value to the product/service

How are Production and Logistics changed?
Internetworking provides efficiency opportunities in: Production, Storage, Distribution, Acquisition Supply Chain Management has utilized: Electronic catalogs Product tracking Web-managed distribution of cargo Supplier-managed inventory Distributed and shared manufacturing processes Shared inventory management

How has Customer Care changed?
Customer relationship management (CRM) software has focused on: Sales force Marketing Call- center needs By collecting, mining, and reporting data back to the managers. Acquiring a new customer is 8 times more expensive, on average, than keeping a customer.

How has Finance changed?
Finance uses legacy and ERP systems for: Performance measurements and evaluation Accountants understand business processes; develop, collect and analyze measurements for them, and advise management. Assurance New metrics are needed because of the increased speed and volume of business transactions between new partners and increased legal complexities. Financial Management Heading towards paperless, continuous risk assessments, testing, and reporting that is integrated with external partners in Extranets.

Figure 2-11 Process monitoring and Assurance
Alarms From External Info. Analytical exception tests To other stakeholder To auditors To operations To scorecard Internal/External monitoring metrics Strategic and tactical metrics Monitoring IT structure Corporate IT structure

How has Human Resources changed?
Become much more self-service Administrative activities Career management Value of employment (compensation, benefits) Payroll Employee services Health management Application Service Providers (ASPs) used extensively.

How has Research and Development (R&D) changed?
Groupware for distance work Large, powerful databases Telemetering and sensing Visualization software Powerful supercomputers Knowledge management systems for greater sharing of information

Which industries are most affected by electronization?
Industries with bitable products/services are most affected: Financial sector: brokerages, banking, and insurance Software Retail: especially with industry-specialized portals Large Manufacturers are increasing their market range, reducing their costs and increasing the rapidity and efficiency of their processes Services: traditional (accounting, data entry, programming) and new e-Care

Implications for the Accounting Profession
Accountants need to focus on: Providing more real value to their clients Emphasize continuous reporting Emphasize continuous assurance Develop new assurance products Using the Internet to move the work to lower labor-cost markets

Business-to-Business Processes and Strategies
Chapter 3 Business-to-Business Processes and Strategies

Overview B2B Processes and Strategies
From B2C to B2B Using Corporate Nets B2B Processes and Advantages Emerging B2B Problems Electronic Markets Strategy A Schemata to Analyze E-Business Strategy Implications for the Accounting Profession

B2B B2C Figure 3-1 B2B and B2C electronization focus Purchasing
and Supply Chain Focus Market Formation and Structure Purchasing B2C Individual targeting Customization Web Advertising Virtual communities Marketing Advertising B2B has larger volume of transactions, but lower margin per transaction. Customer party lines

What is meant by Corporate Nets?
Internetworking: Connecting through computer networks Can be fixed or mobile or both Bring the processing to the individual rather than the individual to the computer. Intranets = Within an organization Extranets – Between organizations Value is derived from Highly customized end user connections Highly orchestrated high value chain elements Common infrastructure utilizing modularity

More about Intranets Initial use: to pool expensive resources and optimize their utilization Next phase: to enhance corporate communications through and file sharing Newest phase: utilizing the Internet and the TCP/IP protocol (servers, browsers, routers, etc.) to enhance efficiency

Information space: Distribution Transaction Intranet
Figure 3-2 Angehrn’s ICDT model applied to Intranets Information space: HR data, Production, Inventory, etc. Distribution Space: Corporate documents, Software, Training, Support Transaction space: Vouchers, Claims, Internal purchases, Orders Intranet Communication Space: , Data sharing, Groupware applications

Information space: Distribution Transaction Internal Corporation
Figure 3-2 Angehrn’s ICDT model applied to Extranets Information space: HR data, Production, Inventory, etc. Internal Corporation Distribution Space: Corporate documents, Software, Training, Support Transaction space: Vouchers, Claims, Internal purchases, Orders Extranet Communication Space: , Data sharing, Groupware applications Trading Partners

More about Extranets Components include:
Enterprise Resource Planning (ERP) systems Legacy systems: , data sharing, groupware applications Middleware: to allow seamless interfaces with business partner information systems Intranets of business partners Common Extranet applications include: Application Service Providers (ASPs): common platforms for outsourced processing that allow rapid product deployment, low capital investment and little residual onus Customer Care Extranets: dedicated to eCare of customer communications and support Supplier-managed Inventory: allow suppliers to utilize Just-In-Time technologies

Examples of Extranets ARCO Taco Bell Canadian Coast Guard Microsoft
Chubb Corporation Eastman Kodak Harley Davidson NN Financial National Semiconductor Taco Bell Microsoft Texas Instruments Toro Co. GE Lighting GE Industrial Systems ISIS Communications 2000

Newest Trends in Extranets
Direct electronic dealings with potential and existing partners Transacting through electronic markets Formation of electronic consortia Hub-free peer-to-peer structures

Business-to-Business (B2B) Commerce
B2B Defined: Business purchases between commercial entities as intermediate process(es) of value addition until product(s), or derivative(s) thereof, is(are) delivered to the consumer. Evolved from manual processes, to electronic data interchange (EDI) to Web-based combinations. Different from B2C: involves more investment and brand is less of a factor in this domain

Top Ten B2B Businesses Forrester Research
Intel Cisco Dell Boise Cascade W.W. Grainger 3 Com IBM Gateway 2000 Sabre Group Office Depot

Dimensions of Market Factors That Affect B2B Commerce
Current size of the market and the effect of electronization on the size of the market Expected speed of deployment of the electronic solution(s) Ownership of the electronic market Business model, nature of the market platform and the revenue sources for the market makers Criteria for the admission of players Visibility of entities Nature of the market platform and the degree of IT integration Form of settlement arrangements

Comparing EDI to Internet B2B Solutions
Rigid definition of trading partners Expensive investment in protocol and proprietary channels with monthly and per transaction fees Low connectivity/data sharing options More inherent security TCP/IP: Low incremental costs Real-Time connectivity Flexible Data Sharing Less Inherent Security (but can be built in)

What are Vertical and Horizontal B2B Markets?
Vertical Markets Focus on one industry Have multiple purposes: transactions, job postings, industry news, technical advice, information services, etc. Horizontal Markets Business model of economy of scale with less specific industry specialization Offer one type of service or product across industries

Newest Features of B2B Markets
Customized middleware to smooth interfaces between trading partners Peer-to-Peer computing allow for shared markets without a centralized market or exchange Use of Intelligent agents Price comparison agents, buying and selling agents, fraud detection agents

What are the emerging problems in the B2B environment?
Antitrust issues Control issues on the market sites Virus and security problems Privacy of data issues

B2B Examples from Three Industries
Auto Industry: Covisint Airline Industry Professional Services Firms Accenture, iPlanet, and Sun Microsystems PriceWaterhouseCoopers and Informatica

Internet Business Strategies
Strategies are a function of factors such as: Type of business entity Stage of business (startup, growth, mature, declining) Sector of the economy Product pricing strategy Income and prestige objectives of management Management exit strategies Funding sources and processes

Figure 3-9 Funding sources and processes
Financing Definition Average Range Who Typically Plays Seed Prove of concept 25-500K Angel individuals/groups Early stage VCs Start-up Complete product and initial marketing 500K-3M Early-stage VC’s First Full scale production & sales 1.5-5M Venture capitalists Second Working capital for business expansion 3-10M Private placement firms Third Expansion capital to achieve break-even 5-30M Bridge Go public in 6-12 months 3-20M Mezzanine financing firms Investment Bankers Go Public Equity capital Wide range Public Market Participants

Internet Business Plans and Forms
Generic description of the business idea Plan of action Assessment of the market Pro-Forma set of financial statements Description of the management team Organizational morphing: businesses that are acquired or merged with other businesses

Why do some failing companies choose to close their doors rather than merge?
They do not have a sustainable business model They do not have a set of built-up assets They ran out of money before options were considered Venture Capitalists are too busy to notice them There is less of a market for Internet expertise than there used to be Many potential acquirers are using a “wait and see” strategy

Electronization Strategy Parameters Kanter, HBR, 2001
Use relevant corporate standards for Internet businesses Consider the separate elements within your value chain. Focus on a few, visible electronization efforts. Take the revolution seriously, and focus on customer care and service. Work with flexible vendors who are not afraid of constantly morphing with you and the marketplace. Rethink and reengineer your business processes. Offer incentives for cooperation between parties. Create and disseminate easy-to-use tools. Create and use relevant corporate benchmarks to evaluate performance.

Traditional Strategic Thinking and Corporate Competencies
Core Competency refers to a business’ value proposition that Provides access to a variety of markets Significantly contributes to the customer’s perceptions of the end product benefits Difficult to imitate by competitors

Figure 3-10 Core Competencies
Competence # 1 # 2 # 3 Core Product 1 Core Product 2 Bus. #1 Bus. #2 Bus. #3 1 2 3 4 5 6 End products Core Product from Competitor Decon- structed Core # 1 Structed Core #2 competence

Figure 3-11 Competitive factors and forces
Threat of new entrants Attacks to chains of the value chain (deconstruction) Entrants from other industries Bargaining power of suppliers Bargaining power of customers Positioning by competitors Alliances with competitors B2B market participation with competitors Threat of substitutes

New Economy Thinking Deconstructing the Value Chain Judo Strategy
Reengineer, rebundle, and create synergies Judo Strategy Turn the dominant players strengths against them Flexibility principle: do not attack head-on Leverage principle: small businesses do not have the impact that large businesses have

New Economy Corporate Strategic Plays
A corporation can achieve an electronic channel through: Acquisition Development: independent building Deconstruction: subdivide and conquer Aligning and Affiliating with Partners: meet your enemies

Figure 3-12 E-thinking strategies
Stage of the business New business Established business Industry leader E-Objective New channel Process improvement New e-Product De-(re)construction Strategy of electronization Create entity Acquire existing business Alliance and affiliation Buy part of the company Create joint income targets Use Joint Platforms

What are Free Play Strategies?
Free play strategies offer free services or space to post information on the Internet Free plays typically rely on advertising or other sponsorships Free web hosting Free commonware space Free e-Commerce platform Free internet telephony

Schemata to Analyze E-Business Strategy
Source of Income Sustainable, acrooss-the-value-chain, exit strategy, residual value, information gathering play? Market Size: existing and future Overall estimation, segmentation, and acquisition rates Market form # suppliers compared to # buyers Centralized broker or peer-to-peer? Cost Structures Type of Product/Service provided Innovation along the Value Chain

Expertise is needed to understand The B2B markets The new business models The new business strategies The reliability, integrity and security issues of the entire set of internetworks: Operating system Program code Internet protocols Encryption methods Firewall configurations

Chapter 4 Electronic Commerce and the Role of
Independent Third Parties

Electronic Commerce and the Role of Independent Third Parties
Consulting Practices and Independence CPA Vision Project: Necessary Professional Skills New Assurance Services E-Commerce Effects on Traditional Assurance Third-Party Assurance of Web-Based E-Commerce Trust in Electronic Relationships Website Seal Options Implications for the Accounting Profession

Should accountants provide E-Commerce assurance services?
Accountants are known for their ability to: Be objective Be independent Make opinions on the financial accuracy of other entity’s reports Assess risks Report on the system of internal controls

AICPA Principles of the Code of Professional Conduct
American Institute of Certified Public Accountants (AICPA) requires: Integrity Due care, objectivity and independence so that the public derives trust from their opinions Objectivity Impartial, intelligent, honest, free of conflict-to-interests state of mind that lends value Independence No interest in the client’s firm

Independence Standards Board of the SEC
Auditors will on an annual basis: Disclose to the audit committee all relationships in writing Confirm in writing that they are independent Discuss independence with the audit committee

What is causing pressures on Auditor Independence?
Growing Aggression in the financial marketplace Multi-disciplinary service offerings by audit firms Loss-leading audits Changes in audit firm culture Increased scrutiny Earnscliffe Research and Communication, 1999

Independence Within Firm: One Team Consults and Another Audits
Design Firewall and Access Controls Install Firewall and Access Controls Evaluate Adequacy of Firewall and Access Control System Issue Opinion of Adequacy of Firewall and Access Control System ONE TEAM DOES THIS ANOTHER TEAM DOES THIS

What is the CPA Vision Project?
CPAs are the trusted professions who enable people and organizations to shape their future. Combining insight with integrity, CPAs deliver value by: Communicating the total picture with clarity and objectivity Translating complex information into critical knowledge Anticipating and creating opportunities Designing pathways that transform vision into reality

What are the top 5 Core Services provided by the CPA Profession?
Assurance and information integrity Management consulting and performance measurement Technology services Financial planning International services

Why are new assurances needed?
Stagnant Audit Revenues & Smaller Audit Teams Increasing & Changing Technology Requirements Client Business Environment New Market for Accounting Profession

Robert Elliot’s Special Committee on Assurance Services (SCAS)
New assurance service opportunities require: Identifying a customer with a need Finding a CPA to fill that need Customer’s perception is that value received exceeds costs involved Best new assurance services areas: Electronic commerce Elder care Health care performance Systems reliability Entity performance Risk identification and impact analysis

Elliot Report: New Knowledge and Skills Needed by Accountants:
Intentional attacks Transmission failures Lack of authentication Loss of trust Theft of identity Encryption Risks associated with electronic cash Software Agents Sensors Preventative and detective controls Systems reliability

AICPA’s Top 10 Technologies and Emerging Technologies
Security and Encryption XML Communications technologies – bandwidth Mobile, wireless and remote connectivity Electronic authentication and authorization Database Emerging Technologies Government regulations Business service providers E-Learning Electronic Evidence M-Commerce

The Three Waves of Electronic Commerce
First Wave: Traditional EDI - Ordering Shipping Invoicing Inventory Established partners only Second Wave: Electronic Commerce Elements in 1st wave plus: Online shopping Online payments Increased Information Sharing New partners allowed Interactive Websites Third Wave: Electronic Society Elements in 2nd wave plus: Cashless transactions Transaction integrity Intelligent Agents Continuous testing Wireless capabilities

The Challenge of E-Commerce: Openness with Security
Integrity controls and signals Data elements are correct and agreed-upon Security controls Parties are authenticated and data is not accessible to unauthorized parties Methods to solve trading partner disputes Nonrepudiation Digital signatures Integrity checks

What are Accountants’ Competitive Advantages?
Access to existing client relationships Reputation for independence and objectivity Familiarity with controls for the financial reporting system. Extensive experience in: Evaluating evidence Planning statistically sound validation processes as functions of the effectiveness of the systems of internal controls Reporting to third parties

E-Commerce Systems Reliability Assurance
All parties to eCommerce need server and information reliability assurances. Server reliability includes access to the needed databases and processing systems through telecommunications links and authorization. Information is accessible if an authorized user can retrieve what they need. Information reliability is when the information is both accurate and current.

Figure 4-6 Reliable information systems
Company’s Internal Databases and Processing Systems Internet/Web Page/Link has Information about: Products and Inventory Prices and Orders and Shipping Server reliability Users read information and make decisions. Users need assurance of information reliability.

Assurance Support from the Internal Control Framework
COSO’s 1992 Internal Control Framework SAS No. 78 Internal Control Definitions Factors complicating internal control: Online, real-time access to information Decreasing time lag between events Increasing Expectations by Users of Information Accountants need to shift from detection and correction to prevention strategies.

Figure 4-7 Time lag in information dissemination
Data Collection and Entry Assurance Over Processes Is Necessary Information Systems Processing TIME LAG Reports Stakeholders

Elliot Report Definitions
Integrity and security assurance is concerned with “the security and integrity of networks involved in the public exchange of information.” Systems reliability assurance is concerned with “the reliability of an entity’s internal database on which an outsider might rely.”

Risk Assessment Assurance
Risk assessment assurance is the process of identifying analyzing and managing risks that affect the achievement of management objectives. It involves: Identification of control weaknesses Mapping weaknesses against business risks and technology risks Determining whether the risks are being reasonably mitigated.

Effects of E-Commerce on the Traditional Assurance Function
SAS No. 78: Defines the relationships between internal control system, assessment of risk, and audit planning procedures. Continuous process auditing either around or through the computer to determine: Data collection, transmission and storage Authentication of transaction parties Control Agents

Figure 4-8 AIS activities within the customer-oriented value chain.
Sales and Marketing CUSTOMER Revenue Sharing Inbound Purchases Production Outbound Logistics Service Fee Based Services Digital Products and Services

Figure 4-9 Revenue generating advertising techniques
E-Commerce Advertising Model Model 1: Pay for Results - Model 2: Revenue Sharing Site w/ Banner Ad Business Site Click-through Businesses can pay for # click- throughs or by # new purchases from click-through Portal site Fee earned by advertising site Fee earned By portal Portals provide “free” ad space. If a visitor clicks-through, then a fee is charged to the business.

Figure 4-11 Verifying digital assets versus physical assets
Offline books Inventory Control Over Physical Assets Losses result from physical theft and known quantities can be counted Losses result from digital theft and quantities are not known. Losses occur from lost revenue rather than lost assets! Online books Digital

Figure 4-12 Major concerns of consumers and business partners
Security of Data Privacy Business Policies Transaction Processing Integrity Systems Reliability

Third-Party Assurance
Security of data transmitted and stored Business policies over shipping, billing, payments, returns, taxes, etc. Transaction processing integrity: Orders are processed as policy states No lost orders Accurate and timely transaction and account information Privacy of data What is collected? How will it be used? Do customers have access? Is the privacy policy followed? Systems Reliability

Figure 4-13 E-commerce, trust and third party assurance
Trading Partner B’s Propensity to Trust Trust Trading Partner B’s Perceived Risk Risk Taking in Relationships by Trading Partner B Outcomes Ability Benevolence Integrity Source Credibility Of Communication Trading Partner A Third Party Trust > Perceived Yes Searches for Other Less Risky Partners No Based on Mayer, Davis and Schoorman’s 1995 Model of Organizational Trust Factors of Perceived Trustworthiness

When will third-party assurance contracting occur?
Will occur when: The strength of the signal can be detected The signal can turn into tangible benefits The total cost of purchasing the signal is less than the total expected direct and indirect positive outcomes.

Web Site Assurance Seal Options

Better Business Bureau Online
Private Non-Profit with a focus on voluntary self-regulation with regards to business policies, practices, advertising ethics, etc. Fee = f(number of employees) Membership = f (low customer complaints) Three seals: Reliability, Privacy, and Kid’s Privacy

Better Business Bureau Online
Privacy Seal involves verification that Website posts explanations of and protects information collection, uses, and choices available to the customer; agrees to an independent audit, and participation in the dispute resolution service Kid’s Privacy Seal involves verification of parental consent, warnings and explanations, and restrictions on data collection , hyper linking and sending .

Private Non-Profit (Electronic Frontier Foundation) Focus on Privacy Policies (what, why, when, and choices available to customers, security utilized, etc.) Fee = f (Revenues) Membership involves posting an easily visible privacy policy, minimizing customer complaints, and agreeing to compliance reviews Different rules for children under 13 years

Different rules for children under 13 years: Need prior verifiable consent from parents Cannot use prizes or raffles to entice children Cannot let children publicly post personal information Any information collected can only be used for original purpose

Private For-Profit (RSA Data Security, Inc. spin-off) Security focus utilizing digital certificates: Transmitting with encryption, and Authenticating message source/destination. Three classes of certificates Class 3 confirms business name, address, telephone numbers, domain name, and any other industry-deemed information

Private For-Profit Weekly ratings of e-Businesses on 10 dimensions Monitors at point of sale and after expected delivery date Ease of ordering, product selection and information, price, website navigation and looks, shipping and handling, on-time delivery, product representation, level and quality of customer support, and privacy policy Provides company profiles Ordering, delivery and payment methods, special features, and whether/not Veri-Sign is utilized.

AICPA/CICA partnership Focus on: Business and Information Privacy and Practices, Transaction Integrity, and Information Protection Provides services for B2C transactions, online privacy, ISPs, and certification authorities In partnership with Veri-Sign CPAs must be trained/approved to offer seal Seal refreshed often (e.g., every 90 days or so)

Business and Information Privacy and Practices: Time frames for order fulfillment and backorder notice, delivery methods, payment terms and methods, cancellation and return procedures, full description of services, methods for information gathering and compiling, warranty and support information, and privacy policy details.

Transaction Integrity: Controls exist for order acknowledgement, accuracy, completeness, and prompt delivery; Current accurate information on prices, backorders, billing, payments, Prompt error corrections Maintenance of controls.

Information Protection: Appropriate data encryption during transmission and storage Appropriate firewall mechanisms Customer notice of uses of private information Minimal use of customer information by necessary employees only Virus prevention tactics

WebTrust Online Privacy Program (version 3.0): Reviews collection, storage and dissemination of customer information. Checks compliance with stated privacy policy Checks controls over privacy Checks the control environment Checks for monitoring for compliance with stated privacy procedures.

AICPA’s privacy criteria for WebTrust
Disclosures Kinds and sources of information collected/maintained Distribution to third parties Opportunities and consequences of Opting Out/In Methods to review, correct, and/or remove private information Use of cookies or other tracking methods Company contact information and methods Compliance with applicable laws, regulations or self-regulations Dispute resolution processes Methods to communicate changes in practices

Policies, Goals, and Objectives Notice Choice Access Security Enforcement and consumer recourse Employee buy-in and monitoring Accountability for privacy policy has been assigned Adequate security of programs and data during backup, offsite storage and restoration processes Compliance with documented privacy objectives, policies, and standards

Security Procedures related to Privacy Establish new users and authenticate authorized users, both internal and external. Maintain accurate and complete user information and to allow users to change, update, or delete contents Procedures to limit remote access to internal network Encryption capabilities for sensitive/private data, transmitted and stored Private information is not disclosed to non-essential third parties unless customers are notified prior, and the third party privacy policies are consistent. Customer permission is obtained before any data is stored, altered or copied to the customer’s computer Procedures to inform and allow choice from customers of changes in privacy policies

Monitoring/Performance Procedures and Measures Maintenance of security procedures for all e-Commerce systems. Maintenance of privacy policy disclosures with respect to current laws and regulations. Updates and tests of the security incident policies whenever there are technology changes, network structure changes, or new information. Effective monitoring and follow-up on all security breaches.

WebTrust Seal for Internet Service Providers: Ongoing Web server and related technology configuration and maintenance. Appropriate tailoring of ISP propriety order-taking and fulfillment software. Web server acquisition, configuration, and implementation Telecommunications security Internet firewall configurations, maintenance, and monitoring. Web hosting

WebTrust Seal for Certification Authorities: Business practices disclosure with regards to its key and certificate life-cycle management business and information privacy practices Service integrity maintenance that subscriber information is properly authenticated and integrity of keys/certificates is maintained Environmental Controls on data shared with related parties, and systems development, maintenance and operation.

Assurance Report contains the following paragraphs:
Scope of engagement Responsibility for disclosures, controls and opinion rendered Compliance with attestation standards Disclaimer for non-detected fraud or errors Opinion Meaning of the WebTrust seal Disclaimer for quality of corporation’s goods or services.

AICPA/CICA partnership Focus on: Business-to-Business trading relationships. A reliable system is “one that is capable of operating without material error, fault, or failure during a specified period in a specified environment.” Availability, Security, Integrity, and Maintainability

Figure 4-18 Comparison of Seals
Cost Privacy Security Policy Transaction SEAL Integrity Low light BBB YES Trust-e Low YES BizRate Very Low Low-to- Med. YES YES Veri- Sign No on storage Yes on transmiss. Lightly Covered Web- Trust High YES YES YES YES Sys- Trust YES YES High YES YES YES YES

Accounting Profession
Implications for the Accounting Profession Accountants need more expertise in: Business processes Transaction processing integrity Information protection Supporting internal controls New skills are needed for E-Commerce technology skills New assurance functions: continuous assurance, systems reliability, risk identification, impact analysis, website assurance Auditing through the computer Provision of e-Commerce business solutions Maintaining their roles as independent, trusted third parties.

New knowledge is needed about: Programming and Operating systems Networks and Authentication Firewalls and other security Certified Information Technology Professional (CITP) Designation by the AICPA Business expertise in relevant areas Life-long learning in relevant areas Examination New Consulting and International Services International taxation and regulation Alignment of business and e-Commerce strategies Integration of internal systems with e-Commerce systems Performing outsourced transaction processing Providing certification authority services

Chapter 5 The Regulatory Environment

The Regulatory Environment
Principle Players on the Internet Primary International and Legal Issues Cryptography Issues Privacy Issues Web Linking Internet Sales Tax Electronic Agreements and Digital Signatures Spam Mail Online Auctions and Content Filtering Implications for the Accounting Profession

Three Types of Internet Users
Regulators Businesses Private Citizens

Primary Regulation Issues
Encryption Privacy Inappropriate web linking Domain name disputes Tax policies Electronic agreements Content responsibility of online auctions Which jurisdiction applies?

Cryptography Cryptography is a mathematical encoding that transforms readable messages into unreadable formats (cyphertext). Key length (size) determines the difficulty to crack the code. Encryption is the coding Decryption is the decoding

Cryptography Regulatory Issues:
Domestic use, Importation and Exportation rules Rules differ by country US is “looser” than China, Belarus, Kazakhstan and Pakistan Use of encryption by criminals, terrorists, and money launderers. Ability of law enforcement to obtain decrypted forms of encrypted messages, either through a key recovery or a key escrow system).

Cryptography Key escrow systems involves a central repository that contains all encryption keys. Key recovery systems have some mechanism that will provide authorized law enforcement agencies the ability to recover and use the key (e.g., trusted third party). Issues: How will sufficient controls be created and maintained to protect citizens from law enforcement abuse of authority? How is it possible to enforce internationally? INTERPOL prefers a key recovery system.

Privacy of Private Citizens
Information Privacy: the right to have one’s personal or business data be kept confidential. Privacy Groups: Center for Democracy and Technology Electronic Frontier Foundation Electronic Privacy Information Center Privacy International Privacy Rights Clearinghouse Online Privacy Alliance

Figure 5-1 Percentage of US sites that
post privacy policies and link from home pages 0.62 0.97 0.76 0.94 Random Sample Most Popular Sites Post a Privacy Policy. Links the Privacy Policy from the Home Page Source: FTC, 2000

Privacy of Private Citizens
Federal Trade Commission (FTC) Five Core Principles of Privacy Protection: Notice Choice Access Integrity and Security Enforcement Regulatory Issues: Self-regulation or government regulation? If government regulation, which one? Differences exist between countries, US “looser” than European Union How do we protect children’s privacy?

Figure 5-2 Percentage of US sites that collect personally
identifiable information and utilize the FTC principles 55% 89% 50% 67% 43% 83% 74% 20% 42% 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Notice Choice Access Security All 4 to some extent Random Sample Most Popular Source: FTC, 2000

Random Sample Most Popular
Figure 5-3 Percentage of US sites that collect personally identifiable information and implement choice options Random Sample (detail of the 50% who offer choice) Opt-In 25% Opt-Out 71% Unclear 4% Most Popular 75% 16% 9% (detail of the 67% who Source: FTC, 2000

Privacy and Security From the FTC’s 2000 study:
Only 39% of the random sample (54% of the most popular sites) take steps to provide security during transmission. Only 29% of the random sample (48% of the most popular sites) take steps to provide security after receipt. Only 8% of the random sample (45% of the most popular sites) display some sort of privacy seal from an independent third party.

Children’s Privacy Regulation
FTC’s 1998 study found that 89% of children’s sites were collecting private information on children: and postal addresses Telephone numbers and Social security numbers Age, date of birth , and Gender Education Interests and Hobbies Enticements such as prizes, raffles or contests are used often.

Children’s Privacy Regulation
Children’s Online Privacy Protection Act (COPPA, 2000) Websites directed towards children must post their privacy policies Get parental consent before collecting, using or disclosing personal information about a child. Get new consent when privacy policies change in a material way Allow parents to review personal information collected Allow parents to revoke their consent and delete their information.

Adults’ Privacy Rights and the EU’s Directive
1998 European Union Privacy Directive states that personal data on the Internet must be: Collected only for specified purpose Processed fairly and lawfully Kept accurate and current Destroyed after stated purpose is fulfilled. Users have the right to access their information for correction, erasure or blockage, choose to opt in or out, oppose automated decisions, and have judicial remedy and compensation.

EU Privacy Directive Affects US Companies doing Business with the EU
EU citizens have greater privacy rights than US citizens US and the EU developed a “safe harbor” for US businesses in 2000: Notice Choice Transfers to third parties Access Security Data integrity Enforcement

More on Privacy: Past and Current Events
Toysmart.com selling its customer list More.com passed customer’s prescription information to HealthCentral Carnivore: FBI’s Internet sniffing code Argument with Earthlink.com exposed a high level of citizen monitoring.

Web-Linking Legal problems occur when:
Inappropriately referencing a linked site Not referencing the site from which you copied information to your site Displaying another site’s information without the original advertisements Unauthorized use of trademarks in metatags Unauthorized display of registered trademarks

Web-Linking and Defamation
Defamation occurs when an individual makes a false statement about another individual or business that is damaging to their reputation. The issue: whose rights prevail? The right to free speech? The right to be safe from harassment? It’s not black and white: Can opinions be separated from facts?

Web linking without Proper Referencing
Linking using framing involves: Not carrying the original site’s advertisements to the new site TotalNews case of copyright and trademark infringement, unfair competition, and wrongful interference.

Web linking using Metatags
Corporations attempt to increase the visits to their sites by putting well-recognized and often-queried trademarks in the HTML metatags that are labeled as keywords for search engines. Trademarks include words, names, symbols, logos, and graphical designs. Federally registered trademarks bear an ®

Trademark Infringement
Trademark is displayed on the website without explicit permission granted by the owner of the trademark And Trademark display causes either A likelihood of confusion Similarity to something else, malicious intent, actual evidence of confusion Or tarnishes the value of the trademark Association with inferior quality, alteration of the trademark, or representing the trademark in an attack.

Linking to Illegal Files
Downloading of copyrighted materials, such as music, increases your risks of litigation: Napster cases MP3.com cases

Domain Name Disputes Top level domains (e.g., .com, .org)
Internet Corporation for Assigned Names and Numbers (ICANN) – nonprofit organization Many domain name registrants, such as Network Solutions, Inc. 1999 Anticybersquatting Consumer Protection Act Does not allow domain names to be held hostage or used if they are established trademarks. Does not allow similar or identical trademarks to share a domain name. Changed the domain name assignment from “first come, first served” to “who utilized the name for business purposes first”

Internet Sales Taxes It is an interstate taxation problem: which jurisdiction applies? There are over 30,000 tax jurisdictions in the US alone. 1998 Internet Tax Freedom Act No state/local sales taxes on Internet services provision or use. Does not apply if the buyer and seller are in the same state and the seller has a corporate presence (if no corporate presence, then a use tax applies). A future federal sales tax may be the only solution in the future to this problem.

International Tax Issues
Different countries have different opinions and tax systems: European Union prefers a value-added tax, but still has to resolve different rates in different countries within the EU. China prefers sales taxes on Internet transactions. Corporate Presence: Differing definitions between countries. Global infrastructures: what if company building is in one country, and web server is in another? Organization for Economic Cooperation and Development (OECD) is working on a global definition of physical presence

Electronic Agreements and Digital Signatures
American Bar Association (ABA) details important aspects of digital signatures: Signature and document authentication Affirmative act Efficiency 2000 Electronic Signatures Act (E-Sign) Allows but does not require electronic signatures for contracts for international and interstate contracts Electronic record should accurately reflect the written document information and stay accessible to all parties. Wills, trusts, family matters such as divorce, transportation of hazardous materials, recalls of products, cancellation of insurance do not apply.

1999 Uniform Electronic Transactions Act (UETA)
National Conference of Commissioners on Uniform State Laws (NCCUSL) 22 states have adopted this attempt at a common standard, similar to E-Sign Provides standards for electronic contract acceptance, accuracy and integrity, enforcement, and electronic agents.

1999 Uniform Computer Information Transactions Act (UCITA)
National Conference of Commissioners on Uniform State Laws (NCCUSL) 2 states have adopted this attempt at a common business transactions standard Clarifies the UCC law in terms of computer information transactions Makes the law uniform among various jurisdictions

International Digital Signature Environment
Many countries have passed digital signature laws: Argentina, Australia, Austria, Canada, Columbia, Estonia, European Union, Finland, Germany, Hong Kong, Ireland, Japan, Malaysia, Philippines, Singapore, Switzerland Many more are currently in process.

SPAM s Spam mail is the mass sending of unsolicited advertisements. addresses may be purchased lists or may be retrieved from intelligent agents. Cost of sending SPAM is very low Costs to recipients is high on network loads

Online Auctions and Content Filtering
What does an e-marketplace do when found to be supporting “unethical” transactions? Filter (censor) incoming packets Filter (censor) outgoing packets depending on the recipient (IP information such as country code) Who should determine the limits? Web site owners? Web site users? Government regulation?

Expansion of legal skill sets, resources and services are warranted from: Increased liability exposures Taxation, Privacy, Intellectual property, Cryptography, Digital signatures, Acceptable business practices New liability exposures More complex risk assessments Changing legal and regulatory environments Increased opportunities for new services: Consulting in system design Certificate authority role in society

Chapter 6 EDI, Electronic Commerce, And the Internet

EDI, Electronic Commerce and the Internet
Traditional EDI Systems Value Added Networks (VANs) Financial EDI EDI Systems and the Internet XML and XBRL for Web-Based EDI Implications for the Accounting Profession

What is EDI? EDI refers to the exchange of electronic business documents between applications. EDI Characteristics: Identified trading partners Expensive initial investments Dedicated leased line or utilization of a Value Added Network Standard, inflexible data sharing US standard: ANSI’s x12 UN standard: EDIFACT Batch connectivity Low transaction costs

EDI Growth During the 1990’s, EDI use grew 30% each year
Currently growing at 15% per year 1999 total EDI transaction value $3 trillion Estimated 2003 value $4 trillion

Buying Company – NON-EDI - Selling Company
1) Identify Need- purchase requisition 2) Research Vendors – vendor file 3) Select Vendor 4) Place Order – purchase order 12) Receive Payment prepare deposit and update records 5) Receive purchase order prepare sales order, check credit, and check inventory 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 7) Receive inventory (verify accuracy) 9) Receive Invoice 10) Prepare check and remittance advice 11) Mail check and

Buying Company Partial EDI Selling Company
1) Identify Need 2) Research Vendors 3) Select Vendor 12) Receive Payment prepare deposit and update records check credit, and check inventory 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 10) Prepare check and remittance advice 11) Mail check and EDI 5) Receive purchase order prepare sales order, 4) Place Order 7) Receive inventory (verify accuracy) 9) Receive Invoice

Buying Company FULL EDI Selling Company
1) Identify Need 2) Research Vendors 3) Select Vendor 4) Place Order 6) Pick and ship inventory shipping notification bill of lading 8) Prepare and send Invoice 12) Receive Payment prepare deposit and update records 7) Receive inventory (verify accuracy) 9) Receive Invoice 10) Prepare check and remittance advice 11) Mail check and EDI 5) Receive purchase order prepare sales order, check credit, and check inventory

What are VANs? Value Added Networks (VANs)
Third-party network services EDI translation software Security assurances Independent audit trails Reliable transmission (redundant systems) EDI systems development assistance Employee training Exact, explicit contracts with trading partners Authorized data sharing

Figure 6-5 ANSI ASC X12 translation
Purchase Order Sales Order Outbound Translation Inbound Company X Company Y Company Z . ASC X12 Format

Figure 6-6 ANSI ASC X12 formatting
Interchange Control Header – electronic envelope Functional Group Header – type of document Transaction Set Header – specific document Data Segment Header – fields identified Data Elements – contents of field Data Segment Footer – end of fields Transaction Set Footer – end of document Functional Group Footer – end of document set Interchange Control Footer – close the envelope

EDI in practice FACNET – Federal Acquisition Computer Network
Better information with fewer resources consumed More contracting opportunities with customers Taxpayers realize greater return AVNET – Aviation Network Project Increased productivity with eliminated steps Better information and cash management Improved trust and relationship with partners Lessons learned: Top management support is essential Quality application development Strong audit and control procedures Industry standards

Figure 6-7 Department of Defense sample transaction sets
Trading Partner Response to RFQ (843) Request for Quotation (840) Purchase Order (850) Contract Award (838) Project Cost Reporting (839) PO Acknowledgment (855) Order Status Report (870) Shipping Notice (858) Material Safety Data Sheet (848) Shipping Schedule (862) PO Change (860) Order Status Inquiry (869) Receiving Advice (861) Payment Order (820) Invoice (810) PO Change Acknowledgment (865)

What are the Advantages of EDI?
Lower processing costs Tighter relationships between suppliers and customers Lowered error rates Decreased lead and cycle times Decreased inventory shortages and problems Increased product differentiation Better information for all trading partners

What is Financial EDI? Financial EDI is the
electronic exchange of payments, payment-related information, or financially related documents in standard formats between established business partners. Automated Clearing House (ACH) network between financial institutions for electronic payments Large cost savings over paper checks Faster access to funds (loss of float for payor)

Figure 6-8 Trends and Statistics about Financial EDI
During the 1990’s: ACH payments increased from $1.5 to $6.25 billion Debit card payments from $188 million to almost $7 billion Direct deposit of payroll increased from 10% to 56%, with more than $3 billion direct deposits made in 1999 Almost $2 billion consumer bills were electronic payments, saving consumers $600 million in postage The federal government made 96% of payroll payments and 76% of social security payments by direct deposit. The federal government’s electronic federal tax payment system has more than 3 million businesses enrolled, collecting more than $ 1.3 trillion in 1999. 90% of all dollars that move through payment systems do so electronically

Figure 6-9 The ACH network
Payor (Originator) Originator’s Financial Institution Automated Clearing House Receiver’s Financial Institution Payee (Receiver) Transaction Data (Amount & Remittance Advice) Forwarded Transaction Data & Funds Available Statement Authorization to transfer funds electronically

EDI Systems and the Internet
Utilizing the Internet (involving Browsers and a markup language, e.g., HTML) for electronic transactions: Much lower initial investment costs More connectivity: greater sharing and tracking of data Allows for new partners More flexibility with XML Creates serious security concerns Risk of loss of packets or sniffed packets Loss of third-party audit trails and authentication Electronic Data Interchange – Internet Integration (EDIINT) currently defining standards for encryption and digital certificates

Figure 6-1- Comparison of EDI systems
Sharing of Data Connectivity Non-EDI systems Fully Integrated EDI Partially Web-based Full Web-EDI w/ Intelligent Agents

EDI-Web Browser Translation Software
Many VANs providing services Low cost example: Harbinger’s Express XML is extensible markup language Provides a universal data format Allows data objects to be serialized into text streams Is easy to parse, so it can be used to pass data between processes Allows for custom tags, which can be passed easily over a variety of network protocols Has companion standards to support browser presentation, hyperlinks, and querying Jonathon Rich, Cambridge Technology Partners, June 1999

Figure 6-11 Web-Based EDI translation and VANs
SMALL BUSINESS WITH A WEB BROWSER LARGE BUSINESS USING EDI Select Forms Data sent and received As ASC X12 and received as web-browser forms Library of Web-based forms with two-way EDI Translation capabilities Ability to customize forms and applications

Standardized Document Type Definitions (DTDs)
Xschema – from the W3C for vertical industries adXML – to automate online advertising market AIML - astronomical instrument markup language used by NASA cmdXML – for construction and manufacturing distribution data exchange RIXML – Research Information Exchange Markup Language for financial services firms

Figure 6-12 Characteristics and benefits of XML/EDI
XML EDI = XML/EDI Tagging standard Business language A standard frame Script attachment Business processes to exchange data Transaction validation Trading partner of different natures profiles Search techniques Logging + archiving So the information, Linking + reference Acknowledgements be it transaction data Multimedia Application APIs can be used to improve World Wide Web Transaction each business’ Authoring tools expertise competitive advantage.

XBRL and EDI XBRL is eXtensible Business Reporting Language
Based on XML Goal is to provide a standard for the exchange of financial information, such as annual and quarterly financial statements, general ledger information and audit schedules For highly aggregated data Currently being tested by 6 global Fortune 1000 firms

XBRL and EDI XBRL specification: definition, taxonomies, and how to build XBR instance documents XBRL schema: the physical XSL and DTD files that express how instance documents and taxonomies are to be built XBRL taxonomy: the vocabulary or dictionary created by a group XBRL instance document: a business report prepared to the XBRL specification

Elements of Insight.com’s Web/EDI solution
Real-time EDI inventory links with suppliers Integrated delivery links with FedEx Web-Based Sales

Figure 6-14 Insight’s Web-based ordering system
Internet-EDI Illustration Insight’s Computer Inventory System & Customer Database Inventory Data Suppliers’ Inventory Data base Order Data 94% of all Sales are Drop/Ship Goods Shipping data Price quotes, item searches, credit card payments, account history, and trace shipments Insight’s Warehouse 6% of all shipments Home Shoppers Business Shoppers Insight’s Shipper Fed Ex

EDI/Internet Solutions increase the demand for accountants to know How the audit has become more complex The risks surrounding Internet business processes Reliance on data from the Value Added Network Trading partners’ data integrity and system reliability Encryption of data Authentication of trading partners Digital Signatures and Nonrepudiation Firewalls

Chapter 7 Risks of Insecure Systems

Risks of Insecure Systems
Overview of Internet Transaction Risks Internet and Intranet Risks Risks from Transferring Data Between Business Partners Risks from Confidentially Maintained Archival, Master, or Reference File Data Viruses and Malicious Code Overflows Implications for the Accounting Profession

The Paradox Open Systems and Personalization Privacy and Security

It’s a risk-filled environment!
Internet Real Businesses Real Customers False businesses customers Unauthorized Ears: The Listening Perpetrators Actions: The Active Perpetrator

Risks of Insecure Systems
Overview of Internet Transaction Risks Internet and Intranet Risks Risks from Transferring Data Between Business Partners Risks from Confidentially Maintained Archival, Master, or Reference File Data Viruses and Malicious Code Overflows Implications for the Accounting Profession

What is risk? Risk is defined as:
The possibility of loss of confidential data or the destruction, generation, or use of data or programs that physically, mentally, or financially harm another party, and may harm the hardware as well. A threat is defined as: Anyone or anything, internal or external, foreign or domestic, state-sponsored or acting independently, with the capability, technology, opportunity, and intent to do harm.

2000 CSI/FBI study results For frequent attacks
59% report the Internet as the source 38% report internal systems as source External attacks are increasing External hackers are looking to Probe internal systems Compromise trade secrets, documents, and messages Introduce viruses Average loss is approximately $1 million

2000 CSI/FBI study results 8 Biometrics 36 Digital Ids 39 PCMCIA 50
Intrusion Detection Encrypted Login 54 Reusable Passwords 62 Encrypted Files 78 Firewalls 90 Physical Security 92 Access Control 100% Anti-Virus Software % of Firms Security Technologies Used

2000 CSI/FBI study results Computer Crimes # Firms Reporting Costs
Average Costs for 2000 Active Wiretapping 1 $ 5,000,000 Theft of proprietary information 22 1,136,409 Unauthorized insider access 20 1,000,050 Financial fraud 34 617,661 Sabotage of data or networks 28 535,750 System penetration by outsider 29 172,448 Insider abuse of Internet access 91 164,837 Telecom fraud 19 157,947 Denial of service attack 46 108,717 Virus 162 61,729 Telecom eavesdropping 15 33,346 Laptop theft 174 6,899

What are the risks to online customers?
Malicious web sites to steal IDs and credit card information Man in the Middle Attacks to steal information or spy/steal files from PC Hacking into customer data stored on seller’s or ISP’s web server Cookies used for more than personalization Personalization has benefits of decreasing search time and eliminating personal data re-entry Beware of party line businesses (DoubleClick)

Cookies Web Site Visited (Host) DoubleClick cookie.txt
Subsequent Visits Initial Visit Retrieves your data from all their associated sites Assign a cookie ID cookie.txt Party Line User Surfing the Web (Client)

What are the risks to online selling agents?
Customer Impersonation False ordering techniques Denial of Service Attacks Distributed Denial of Service Attacks Data Theft 24% reported to CSI/FBI losses of proprietary information of average cost of $1 million.

Denial of Service: “Syn-Ack” Attacks
Step 1: SYN messages Target of Attack Sender(s) Ports are half-opened & memory buffers are filled Step 2: SYN/ACK Ports cannot be used until session request times out. Step 3: ACK packet code is not sent

Intranet-Associated Risks- part 1
Maintenance and Security is difficult USPS has 35,000 locations with 10,000 networks and 800,000 employees 25% of firms report incidents to the authorities 52% cite fear of negative publicity; don’t report 39% cite fear that a competitor would exploit the information about the incident if they reported Sabotage by former employees 81% believe this type of attack is likely Threats from current employees 71% experienced unauthorized accesses Internal control systems are easy on top managers Negligent hiring is cause of most risk: do background checks and credit checks

Figure 7-6 Internal controls, override capability, and organizational hierarchy
TOP- LEVEL MANAGERS Number of Control Mechanisms Ability to Override Controls MIDDLE-LEVEL MANAGERS OPERATIONAL-LEVEL EMPLOYEES

Intranet-Associated Risks- part 2
Sniffers Can be downloaded for free Virtual private networks (VPNs) are at risk if a session key has been obtained 38% B2C and 56% of B2B utilize VPNs Financial Fraud Downloading of Data Unauthorized access and copying of data can be reduced through user access control tables Spoofing Posing as another valid Intranet user Social Engineering Posing as a valid Intranet IT staff person

What are Extranets? Extranets are group networks that connect business partners with the following traits: Higher levels of data sharing That cross corporate boundaries Meshing different corporate cultures and systems of controls. Extranet’s weakest link: employees with access and unencrypted data stored on Web servers Source: Whatis.com

Figure 7-7 Intranets, Extranets, and the Internet
ISP Company A’s Intranet Company C’s Company B’s Campus Government Agency Intranet Individual Network Subscribers INTERNET Extranet

What are the risks associated with Extranets?
Data interception Lack of message origin authentication Lack of proof of delivery Lack of verification of message integrity Unauthorized viewing of messages Untimely delivery of messages

What are the risks associated with archival, master and reference file data?
Weaknesses in firewall architecture or functionality Destruction of data Alteration of data Unauthorized use of data Alteration of applications

Firewall controls Most Data Trans- action Web Server
Sensitive Data Trans- action Web Server Internet Firewall - Level 1 Firewall-Level 2 Access Controls

What is a virus? A Virus is a malicious programming that
Replicates itself Is an unauthorized parasite on program or macro code Performs unrequested and oftentimes destructive acts Viruses can infect: Boot sectors Executable files Macro templates or macros Viruses can act at once, act at a later time, or act over a period of time.

Special types of viruses
Trojan horses Do not replicate (makes them harder to detect) Attaches itself to a seemingly legitimate program or file\ Hoaxes Usually s that ask you to send them on to others (claiming a false FCC issuance) Clog up systems to deny service quality Buffer overflows Exploit holes in the resource handling section of operating systems, e.g., by writing too many characters into a word buffer array Can crash your system

Implications for Accounting Professionals
Accountants need to understand the new risks associated with networked systems: The configuration and Internet-working infrastructure, including all data access methods The exact number of intranets, servers, and Internet gateway servers The data processing at each Intranet and Internet piece (including VANs), assessing the the integrity and reliability of each system The security methods employed over each of the Intranets, and the location and configuration of all firewalls Know which Intranets are within the domain of the audit engagement

Chapter 8 Risk Management

Risk Management Risk Management Paradigm and Methodology
Control Weakness versus Control Risk Role of the Internal Control System Disaster Recovery Plans Implications for the Accounting Profession

What is risk management?
Risk management is a methodology for Assessing the potential of future events that can cause adverse affects Implementing cost-efficient strategies that can deal with these risks. Only 16% of firms conduct a risk analysis of future civil liability from customers, partners and stockholders CSI/FBI Survey, 2000

What is a control weakness? How does it differ from control risk?
Control weakness is when the a risk is present, a relevant controls are missing and the cost of the control for that risk is less than the expected benefits. Control risk is the uncertain expectation that the cost of the risk-relevant controls would exceed the expected benefits. Residual risk is the inherent risk that will always exist due to unpredictable events.

Figure 8-1 High RISK LEVELS Low Clear Weakness Security Gap:
When Practices Don’t Follow Policy Control weakness or control risk? Allowable Risk Inherent Control Risk Low High COST OF CONTROLS

Human Aspects of Internal Controls
Social controls are the internal controls placed on human employees and stakeholders. Culture management is the management system of social controls. Major human risks: Bad judgment, errors, fraud, and virus damage Excessively Tight Social Controls create new risks: Inefficient operations, reduced flexibility, excessive control costs and a negative culture.

Figure 8-2 Characteristics of good risk management controls
Redundancy: combining passive and active, formal and informal, preventative policies and audits Consistency: policies are modeled by management, supported by redundant controls Clearly written policies that are widely communicated and enforced Fairness in perception and application across individuals Not too detailed nor too restrictive Not a replacement for trust in employees Helpful rather than adversarial or punitive Two-way communication channels for risks, incidents and opportunities Supportive of valid organizational learning FEI, 1997

Figure 8-3 Risk Management Paradigm
Corrective actions 5. Control Proactive vs. Reactive Tracking devices 4. Monitor 1. Identify Communication Network Assign available resources 2. Analyze Assess probabilities and priorities 3. Plan Source: Adapted from SEI’s Risk Management Paradigm

What are the objectives of disaster recovery planning?
Assessment of vulnerabilities Prevention and reduction of risk: continuous improvement as the system changes Creation of cost-effective solutions Minimization of business interruption and assurance of business continuity Security alternative Internet access models Recovery of lost data Providing disaster recovery procedures Training employees for disaster recovery scenarios End-to-end recovery for e-Commerce applications

What are second site backup alternatives?
Goal is continuation of services: so test with drills! 47% of companies want 24 hour recovery Internal extra capacity within company Mutual aid pact between companies with excess capacity and compatible platforms Cold Site/Crate and Ship: leased space and contingent contracts with vendors Hot Site/Remote Mirroring: owned/leased space with running platform. Remote mirroring is with data backups already loaded.

Accountants need strong skills in: Risk assessment of Internet, Intranets, and effects of trading partners’ systems Internal controls for Internet and Intranet processes and storage Ability to understand the effects of changes in the environment, the organization and in technologies.

Internal Control Internal control is an ongoing management process designed to provide reasonable assurance concerning: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations This involves risk assessment, and the design, implementation and maintenance of internal controls.

Internal Control Framework
Monitoring Your Organization Your Information and Communication Your Culture: Policies/Procedures Assessing Your Risks Understanding Your Environment COSO, 1992 3

Internal Control Environment
- Management integrity, ethical values, competence, philosophy, operating style, assignment of authority and responsibility, and human resource policies and practices. - Attentiveness and directives from the Board of Directors and the Audit Committee Risk Assessment - External factors: new technologies, new competitor strategies, new regulations, natural disasters, and the world economy. - Internal factors: IS disruptions, ineffective personnel, management weaknesses or changes, and inadequate access controls. Control activities: general and application controls Information and communication systems Monitoring with documentation of incidents

Internal Control Activities
GENERAL CONTROLS APPLICATION Data Center Controls System Software Controls Access Security Application System Development & Maintenance Controls Sales Order Processing Accounts Payable Accounts Receivable Cash Disbursements Fixed Asset Management Payroll Human Resources Purchasing Production Cost Accounting Marketing

Chapter 9 Internet Standards, Protocols, and Languages

Internet Standards, Protocols, and Languages
The Role of Standards The Global Environment and Standard Setting Standard-Setting Issues, Committees, Structures and Interfaces Internet Protocols and Languages Implications for the Accounting Profession

What are some of the amazing aspects of the Internet?
Tremendous size and use High growth rate Interconnection of different hardware, software, telecommunications, multiple cultures and languages Lack of designated ownership How is this possible? Because of common, agreed-upon standards for development and operation

Figure 9-1 Time line of major standard setting bodies and internet societies
ANSI ANSI’s IETF & Nat’l Bureau WWW NII/GII founded ASC X12 IRTF of Standards functioning founded founded founded (renamed NIST) ISOC founded OBI ISO IAB UN/EDIFACT WWW WWWC founded founded founded standard prototyped founded CEFACT approved migration started

Internet Standards ANSI
ANSI - American National Standards Institute Private nonprofit organization Voluntary consensus standard setting process ASC – Accredited Standards Committee 1979 X12 uniform data standards for interindustry EDI Has developed over 275 standard transaction sets

Internet Standards UN/EDIFACT
United Nations / Electronic Data Interchange for Administration, Commerce, and Transport Challenges the US ASC X12 data standard Is used throughout the world ASCX12 is migrating towards UN/EDIFACT XML and XBRL are encouraging possibilities for new common standards

US and International Standard Setting Bodies
UN ECE – United Nations Economic Commission for Europe CEFACT – Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transport Goal: to simplify business processes and procedures ISO – International Organization for Standardization – over 120 member countries Goal: to encourage and enhance global trade NIST – National Institute of Standards and Technology

Figure 9-2 Relationships among major standard-setting bodies
UN/ECE ISO Technical Liaisons Permanent Council Member & Technical Management Board Member CEFACT ANSI NIST Liaisons Regional EDIFACT Coordinators (Rapporteurs) ASC X12 Africa Asia Austral. & NZ East & Central Europe West Europe Pan Amer. Member

Internet Specific Committees
ISOC – Internet Society Nongovernmental, international nonprofit with voluntary, consensus standard setting processes IAB – Internet Architecture Board IETF – Internet Engineering Task Force IESG – Internet Engineering Steering Group IRTF – Internet Research Task Force RFC - Requests for Comments on new protocols ICANN – Internet Corporation for Assigned Names and Numbers Responsible for domain registration functions Passed new extensions in November, 2000: .biz, .info, .name, .pro, .museum, .aero, and .coop

Figure 9-3 ISOC, IAB, and related committees
Nominates members IESG IETF IAB IRTF RFC Appoints Chair Appoints Chair Liaison Chair Chair Editor IAB Meetings

World Wide Web Specific Committees
W3C – World Wide Web Consortium Seed funded by DARPA, CERN, UN/ECE Goal: to lead the advancement of the Internet through common protocols to ensure its interoperability OBI – Open Buying on the Internet Group of Fortune 500 companies To encourage B2B marketplace on the Web GIIC - Global Information Infrastructure Commission Communication link between organizations and committees Strong ties with the World Bank and industry leaders Reducing the Digital Divide is one of lead projects

Figure 9-4 Levels of access to technology by region Source: GIIC, 2000
514 230 311 608.0 $20,440 European Union 661 256 459 1509.0 $20,314 United States 123 45 34 15.0 $6,340 Latin America and Caribbean 200 23 $5,510 Europe and Central Asia 81 8 10 0.4 $4,630 Middle East and North Africa 70 25 14 2.0 $3,280 East Asia and the Pacific 19 1 3 0.2 $1,940 South Asia 5 $1,440 Sub-Sahar. Africa Phone Lines Per 1,000 Mobile Phones PCs per 1,000 Net Hosts per 10k GNP/Capita Region

Internet Security Committees and Organizations
SEI – Software Engineering Institute Carnegie Mellon University CERT – Computer Emergency Response Team NSS – Network Systems Survivability FIRST - Forum of Incident Response + Security Teams ICSA – International Computer Security Association – independent, for profit company US Government Agencies NIST’s CSRC – Computer Security Resource Clearinghouse CSTC – Computer Security Technology Center CIAC – Computer Incident Advisory Capability FedCIRC – Federal Computer Incident Response Capability Advanced Security Projects Secure Systems Services

What is the difference between a protocol and a computer language?
Protocols are agreed-upon methods of communicating and transmitting data between telecommunication devices. Computer languages focus on communicating with the computer and its operating system.

Internet Security Protocols and Languages
Interoperability: the capability for applications running on different computers to exchange information and operate cooperatively. OSI – Open Systems Interconnections 1984 model for the standardization of data communication procedures that support interoperability

UPPER LAYERS LOWER LAYERS Figure 9-5 OSI model APPLICATION LAYER
PRESENTATION LAYER UPPER LAYERS SESSION LAYER TRANSPORT LAYER NETWORK LAYER DATA LINK LAYER PHYSICAL LAYER LOWER LAYERS

OSI Model Layers Application layer: connects operating system to system and user applications Presentation layer: controls the syntax (format) of the data transferred – HTML Session layer: Establishes and maintains connections, checks on packets integrity Transport layer: IP addresses determine ultimate end node of the Internet Network layer: TCP controls the packet routing on the Internet – can be connection/connectionless Data link layer: controls data transmission from one computer to the next- can be connection or connectionless Physical layer: controls the transfer of bits from the computer to the telecommunications medium

The TCP/IP Protocol Works in the network and session layers
Guarantees delivery of all data packets Is built into the UNIX operating system Microsoft Windows interface: Winsock IP address must be present for sender and receiver for TCP/IP to work IPv4 is 32 bits, has 4-byte sections 3 classes for large, medium and small networks 2 classes for special and experimental purposes IPv6 has 126 bits to accommodate more hosts Domain names (Universal Resource Locators) help transform these streams of numbers into meaningful code: Disney.com

Figure 9-6 The IPv4 protocol
CLASS A B C 10 110 Network Identifier 7 bits Host Identifier 16 bits: 216 = 65,536 possible hosts Network Identifier 14 bits 24 bits: 224 = 16,777,216 possible hosts Host 8 bits: 28 = 256 21 bits Order of Bits

Figure 9-7 IP address tracking
A suspicious message is received and an investigation reveals that the true IP address of the sender is A domain name service that maintains a list of registered domains determines that this message was sent by a business department server at Lehigh University – computer node 102 If Lehigh can track a specific computer assigned to nod 102, Then they can pinpoint the computer from which the message was sent: = Lehigh University = Business faculty server 102 = Individual computer node (so who was it?)

What are the common top level domain name extensions?
Top level domain names (managed by ICANN): .edu = higher education organizations .com = commercial organizations .net = Network providers .org = Nonprofit organizations .es, .uk, .ca, .de = countries (Spain, United Kingdom, Canada, Germany) .gov = government agency New Global Top Level Domain Names: Generic Top Level Domain Memorandum of Understanding (gTLD): .biz, .info, .name, .pro, .museum, .aero, .coop

What is Telnet? What is FTP?
Both run on top of TCP/IP in Session layer Both allow remote access and activity Usually use a combination of user-id and password to enter the network Telnet - allows remote terminal emulations and logins File Transfer Protocol (FTP) file transfers to a server: for file uploads and downloads

What are NTTP, HTTP and HTTP 1.1?
NTTP – Network News Transfer Protocol for the News Industry to transfer and search for articles on the Internet Hypertext Transfer Protocol - (HTTP) Basic WWW protocol: request/response Runs on top of the TCP protocol in Presentation layer Defines message formats and transmissions Defines web server and browser commands PEP Protocol Extension Protocol allows dynamic interactions for transaction-based applications HTTP- 1.1 the next generation! RFC 2774 S-HTTP (EIT) – secures message (lock at bottom of your browser screen) produces a digital signature

What are SGML and HTML? SGML – standard generalized markup language
Independent of Hardware and Software Data encoding system that promotes data sharing by tagging data with: Data – structure – format (look) DTD: document type definition are the rules for SGML HTML – hypertext markup language Encodes and recognizes documents <start> </finish> Not as flexible as SGML XML – allows customized tags: (WWW3) License-free, platform independent, well-supported. Really helps the growth of Web EDI solutions

What is XML? XML – eXtensible Markup Language (WWW3)
Allows customized tags: More flexible than HTML License-free, platform independent, well-supported. Supports Web/EDI solutions Method for putting structured data into a text file that is not meant to be read as is: Uses the tags to delimit the data, leaving the interpretation of the data to the application that reads it Is a family of technologies: XLink, XFragments, Xpointer Requires more bits than comparable binary formats

Figure 9.8 XML code <customer>
<name>Cosmic Graphics Inc.</name> <billing-address> <street>1317 Star Blvd.</street> <city>Kemah</city> <state>Texas</state> <zipcode>77571</zipcode> </billing-address> <credit limit>20000</credit limit> <type-of-business>wholesaler</type-of-business> <contact> <first-name>Cynthia</first-name> <last-name>Barker</last-name> </contact> </customer>

What are DOM and DHTML? DOM: – object representation in a web page
Scripting-language neutral Implementation-neutral interface Allows programs and scripts to access and dynamically change a document’s content, style and structure With cookies, delivers a personalized screen Specifications are found in OMG IDL: Object Management Group Interface Definition Language DHTML – allows different users to see different screens. Requires DOM to be able to make the changes

What is XHTML? XHTML: Provides a document type that can be shared across personal digital assistants, mobile phones, vending machines, desktops, and televisions. Allows simple content authoring.

What is Java? JAVA is a platform neutral object-oriented programming language, not a protocol Developed by SUN Microsystems in 1995 Platform neutral Benefit: runs anywhere Costs: less efficient in processing due to the additional processing layer and the need for a JAVA interpreter (termed the virtual machine), Portable: Write Once, Run Anywhere Supports GUIs and client/server applications Similar to C++ Hot Java – first Java- enabled web browser with “applets” MID: Sun’s wireless JAVA profile for PDAs and cell phones

Messaging (e-mail) Protocols
Basic Mail Protocols: SMTP: Protocol to pass s from server to server on the Internet POP2: SMTP server to desktop “store + forward”: messages are downloaded periodically POP3: Newer version of POP2 without the need to have an SMTP server. s are downloaded, read, and discarded IMAP4: Remote file server: read the files from the server – no downloading ACAP: IMAP capabilities plus user preferences are stored on the server: great for traveling workers!

Security-Enhanced Mail Protocols
X400 – Protocol that requires messages to pass through known, trusted carriers such as AT&T or MCI PEM – Privacy Enhanced Mail Protocol Origin authentication and Nonrepudiation, Message integrity and Confidentiality MIME – Multipurpose Internet Mail Extension protocol – allows multimedia MOSS – MIME Object Security Services Adds some security to MIME Allows ASCII and non-ASCII message formats

Security-Enhanced Mail Protocols
S/MIME – alternative to MIME/MOSS Developed by RSA Data Security based on public keys Adds digital signatures and encryption; MSP – mail protocol of the US Government PGP- Pretty Good Privacy Developed by Phillip Zimmerman Uses public key encryption technology For individuals there is a free download available go to MIT’s web site for the PGPv6.5

Figure 9-11 Integration of S/MIME and MSP
SYSTEM PRIOR TO INTEGRATING S/MIME AND MSP DOD User Message E - mail Unsecured Message For Non-DOD USER Gateway Computer Strips off Security Message MSP with Security DoD’s customized Encryption algorithms SYSTEM WITH S/MIME AND MSP INTEGRATED DOD User Secure Message Message With Security Secure Message For Non-DOD USER Merged MSP Gateway Computer Checks Security Repository of acceptable encryption algorithms

What is S-HTTP and SSL? S-HTTP is a method of secure transmission
Developed by a private organization, Enterprise Integration Technologies (EIT) Uses encryption and produces a digital signature SSL - Secure Sockets Layer, creates a secure session with a web server - Developed by Netscape - Uses public and private key encryption - Does not produce a digital signature - Can be used with S-HTTP for enhanced security

What is SET? SET: Secure Electronic Transmission
Uses public and private key encryption (DES and RSA) Ensures confidentiality and integrity Authenticates both merchants and cardholders Is interoperable with other protocols 13 European and 5 Asian countries have adopted SET US companies use the SSL/S-HTTP combination

History of SET Two incompatible protocols were made:
STT: Secure Transaction Technology protocol developed by Microsoft and Visa SEPP: Secure Electronic Payment Protocol developed by IBM, Netscape, GTE, Cybercash and MasterCard SET is the new jointly created standard

Figure 9-12 The role of SET in the electronic shopping experience
Cardholder browses Cardholder fills Cardholder selects through merchandise order form after items to be via some form of possible price purchased catalog negotiation Cardholder gives order and payment instructions and digitally signs them Merchant requests Cardholder selects payment authorization payment mechanism from cardholder’s financial institution Merchant requests Confirmation sent by Merchant ships goods payment from merchant to to cardholder cardholder’s financial cardholder institution Source: SET Specification, 1997

Comparison of Features
SSL SET Encryption of data during transmission? Yes Confirmation of message integrity? Authentication of merchant? Authentication of consumer? * can be used in SSLv3 No* Transmission of specific data only on a “need to know” basis? No Inclusion of bank or trusted third party in transactions? No need for merchant to secure credit card data internally?

Mobile Protocols Mobile devices include digital phones, pagers, and personal digital assistants Mobile Internet access is used for , electronic payments and vending machine use. WAP: Wireless Application Protocol Developed by Ericsson, Motorola, Nokia, and Unwired Planet Challenges include: Smaller display, limited memory, and slow processing HTML tags do not all translate well to the small screens Transmission security is a huge concern WML: Wireless Markup Language has been developed to overcome some of these challenges WTLS: Wireless Transport Layer Security Specification adds security through encryption and authentication

Accountants need to understand Internet protocols to be able to evaluate a client’s information system reliability and security. Accountants need to become more active in Internet standard-setting processes.

Chapter 10 Cryptography and Authentication

Cryptography and Authentication
Security Issues Encryption Techniques, Key Infrastructures and Key Management Digital Signature Technology Role of Certificate Authorities in Key Management Implications for the Accounting Profession

What does the Electronic Signatures in Global and National Commerce Act do?
Clarifies the legal validity of electronic contracts, signatures, notices, and other records Allows contracting parties to choose the technology they want to use for authenticating their transactions without government intervention It provides entrepreneurs with the legal certainty they need to trust their e-Businesses On-line consumers have the same legal protections as off-line consumers.

What are the 5 security services that ensure reliable, trustworthy transmission of business messages? Confidentiality Integrity Nonrepudiation Authentication Authorization (Access Control)

Figure 10-1 Primary security issues, objectives and techniques
Firewalls, Passwords Biometric devices Limiting entry to authorized users Access Controls Bi-directional hashing Digital signatures Transaction certificates Time stamps, confirmations Proof of origin, receipt, and contents (sender cannot falsely deny sending or receiving the message) Non-repudiation Digital Signatures Challenge-response Passwords / Biometrics Origin verification Authentication Hashing (Digest) Detecting message tampering Message Integrity Encryption Privacy of message Confidentiality TECHNIQUES OBJECTIVE SECURITY

What is Confidentiality?
Confidentiality refers to the unavailability of a message to non-authorized readers. On the Internet, that involves making the message uninterruptible by others, usually through encryption.

What is Integrity? Integrity refers to the confidence that the contents of the message received are exactly the same as the contents of the message sent by the sender. Verification of integrity involves calculating and verifying a hash total of the message by both the sender and the receiver’s determination, similar to a check-sum digit. SHA-1 – Secure Hash Algorithm 1 is the only ISO/ANSI accredited standard hashing algorithm.

What is Authentication?
Authentication refers to the confidence that the message received really came from who the sender claims to be. For Internet messages, authentication involves showing one, two or three of the following factors: Something only you have (token) Something only you know (PIN) Something only you are (fingerprints or signature) Common authentication measures include: Tokens, Digital signatures, biometric devices, challenge-response systems, bi-directional digests, one-time-passwords, transaction certificates and smart cards

What is Nonrepudiation?
Repudiation refers to the ability to refuse to accept an obligation. Nonrepudiation eliminates the ability of a party to refuse to accept or acknowledge that a communication or transaction has occurred. Nonrepudiation involves Proof of origin (sender authentication) Proof of receipt (recipient authentication) Proof of content dispute (message integrity)

What are Access Controls?
Access controls refer to restricting unauthorized parties from entry to data sharing. Common access controls include passwords, authentication controls, and firewalls.

Encryption Techniques
Encryption is the transformation of data via a one-way mathematical function, into a form that is unreadable by anyone who does not possess the appropriate key. Key: binary code used to transform the data Cleartext: message in readable form Ciphertext: encrypted message

What determines Cryptography Strength?
Security application and platform quality The cryptographic algorithm The length of the key (direct relationship to strength of security: longer is better) The protocol used to generate/manage the keys Private key storage

What is symmetric encryption?
Common secret key: so how do you share it? Fast speed and difficult to crack. Based on stream and/or block methods. Single DES: developed by IBM in 1977; 56 bits Scrambles a 64-bit block once and then divides it into two Scrambles each half 16 times, and then applies the inverse of the original scramble Can be cracked in less than a day Triple DES: encrypts-decrypts-encrypts with 2 keys NIST’s new standard: AES – 128, 192, 256 bit keys “Rijndael” winner of the international competition

Single Symmetric Encryption Method
Cleartext Message Encoded encrypt decrypt identical keys Sender Receiver

Triple Symmetric Encryption Method
Cleartext Message Encoded encrypt Double Key A Key B decrypt Sender Receiver Triple Transmitted

Other symmetric encryptions
Skipjack National Security Agency (NSA) 80-bit key Placed on the Clipper Chip “Split-key” requiring two authorized escrow parties to provide a password in order to recover the escrowed key. RSA Data Security’s RC2, RC4, RC5, RC6 Both block and stream ciphers are used Key lengths can vary from 0 to 2, 048 bits, blocks can vary from 32 to 128 bits, and scrambling rounds from times. RC6 finished in the top 5 finalists in the international competition in the year 2000 Chapter 10 Appendix A explains this algorithm

What is asymmetric encryption?
1976 Stanford’s Diffie-Hellman Algorithm The sender and receiver generate a shared secret key over an insecure telecommunications line Each party determines a secret value, and applies a function to create a derived value, which is shared No party shares their secret value, so no party has all four pieces of information. The algorithm creates a common, secret key from a combination of the private and the shared information. Downfall: vulnerable to Man-in-the-Middle attacks

Figure 10-4 Diffie-Hellman public key cryptography
a,B b,A Cleartext Message Encoded Determine Secret Value a Calculate Public value A Make Public value A available encrypt decrypt identical keys generated Transmitted Sender Receiver Determine Secret Value b Calculate Public value B Make Public value B available Retrieve Public A Compute shared secret key Retrieve Public B

Figure 10-5 Man-in-the-middle attack on public key cryptography
Clear- text Encoded Message Public A is communicated Retrieve Z and computer Key from a and Z encrypt decrypt Sender Receiver Masquerader Determines Secret Z Replaces A and B with Z Compute Key (z,A) Key (z,B) Cleartext Bad guy can read and alter Identical keys Key (b,Z) Public B is Key from b and Z

What are Public-Private Key Pairs?
Combination of public and private key characteristics Uses a one-way function with a trap door (key) Usually involves factoring large prime numbers Easy to perform in one direction, but time consuming in the other direction Party A gives their public key to Party B and keeps their Party A private key Party B gives their public key to Party A and keeps their Party B private key RSA is well-known key pair technology

Professor Student Confidentiality without origin authentication
Figure 10-6 Key pairs used to provide confidentiality Confidentiality without origin authentication Student Professor Professor’s Public Key Private Key Encoded Message Transmitted decrypt Penelope’s medical condition encrypt Reading Of

Origin Authentication because only the professor has the professor’s private key
Student Professor’s Private Key Public Encoded Message Transmitted decrypt Professor Requesting A Meeting encrypt Penelope’s Reading Of the Request Figure 10-7 Key pairs used to authenticate sender

Origin authentication and confidentiality but way too slow
Figure 10-8 Double key pairs used to provide confidentiality and authentication of sender Professor Penelope’s Private Key Penelope’s Public Key Student Prof sending her grade. Prof’s Private Key Prof’s Public Key Double encoded message Penny reading her grade encrypt encrypt decrypt decrypt Origin authentication and confidentiality but way too slow

Figure 10-9 Solution: Symmetric and key pair combination
Sender Receiver DES key encrypted with public Recipient’s Public Key Recipient’s Private Key Random DES key Random DES key encrypt decrypt Clear Text Clear Text encrypt DES Encoded Message decrypt

Let’s Recap the Top 5 Message Security Services
Confidentiality Authentication of sender Authentication of receiver Message Integrity Non-repudiation

What are Digital Wrappers?
Digital Wrappers are encryption that envelopes and seals a digital asset against unauthorized access Digital music Software Digital books Wrappers can be engineered to decrypt Once As many times as owner decides Over a period of time

What is Elliptic Curve Cryptography (ECC)?
ECC is a one-way elliptical curve discrete logarithmic function (more difficult to solve than the algorithm RSA currently uses). Smaller key size, so faster processing: 160-bit key offers same security as RSA’s 1,024-bit Great for smaller memory and processing devices such as cell phones and PDAs. RSA has patent for creating inter-operability between two competing but incompatible ECC methods.

What are Integrity Checks?
Integrity Checks are designed to be a detective control to verify that a message has not changed without authorization of the sender. Integrity checks are typically hash digests. Hash digests are mathematical representations of the message that have the following characteristics: Similar to an accounting check-sum control The full data set cannot be reproduced from the hash No two data sets will result in the same hash Used to determine if a message has been altered Can be used with encrypted and nonencrypted data

What are Digital Signatures?
Digital signatures are message digests (hashes) that are encrypted with the sender’s private key. Digital signatures: Bind the message origin to the exact contents of the message. Establish sender authentication and message integrity (nonrepudiation) Current standards: NIST’s DSA (Digital Signature Algorithm) (FIPS 186) X rDSA (Reversible Digital Signature Algorithm), X9.62 ECDSA (Elliptic Curve Digital Signature Algorithm)

What are one-time pads? Original one-time pad created by Gilbert Vernam in 1917, where key was the same length as the message. Lyman Morehouse solved this key length problem by using 2 shorter keys which together = one longer key. These algorithms are unbreakable because there is no “back-door”. Chapter 10 Appendix B explains the XOR algorithm used in one-time pads

Sender Receiver Figure 10-12 Encryption techniques providing
message integrity, authentication and confidentiality Clear Text Random DES key Recipient’s Public Key Private Key encrypt Encoded Message encrypted with public decrypt Random DES Sender Receiver Calculate digest R-calculate and Verify Digest Sender’s

Information on digital certificates (some have free products!):
Baltimore Technologies GlobalSign (partnership with Verisign) Thawte VeriSign RSA Security

What are some good encryption practices?
Password length, complexity, and maintenance Key length: at least 64 bits Key management policies Compressed files: compress, then encrypt Message contents: if message might be guessed, add meaningless characters

What is a public key infrastructure (PKI)?
PKIs are systems that manage key pairs, verify key holders/users and issues digital certificates. Certification Authority (CA) Issues/Revokes key certificates Publishes certificate revocation lists (CRLs) Registration authority (RA) Registers and attests to CAs on the identity of CA users Certificate Repository (CR) Public database holding certificates and CRLs.

What is a certification authority?
Certification Authorities: Issue certificates Various grades of certificates Link users to their public keys, and sometimes to their private keys Verify the identities of the key users Manage key pairs: various methods exist Industry standard is ITU-T.X509 ISO will soon replace current standard

Certificate Authority Internet Merchant bearing a certificate Customer
4 Certificate Authority 2 Verify the customer Verify the storefront 1 Customer interest Internet Merchant bearing a certificate Customer 3 Sharing of Purchase Information

Figure 10-13 X.509 version 3 certificate format
To Be Signed Certificate Algorithm Identifier Signature Version Optional Parameters Object ID Extensions Subject Public Key Info. Validity Time Period Issuer Serial Number Extension Criticality Flag Value Counter of certificates issued by this CA CA’s DN User DN=Distinguished Name

What would you want to know before engaging a CA?
Certification practice statement (CPS) States CA organizational policies Certificate policy (CP) States authorized uses of certificates Explains application processes Explains key management processes

Figure 10-14 General certification authority
Public Certificate Authority • Verify individual Issue certificate Maintain public key & certificate Individual Generate own key pair Keep private key Provide key generating software Proof of identification Certificate SCENARIO A

SCENARIO B Private Certificate Customer or Provide key generating software Authority Trading Partner Proof of identification • Verify individual • Generate own key • Generate key pairs pair for employees • Keep private key Certificate • Escrow private keys for employees Employee Send private key & certificate • Issue certificate • Keep private key • Maintain public key & certificate

SCENARIO C Public Certificate Provide individual user identification, Authority public keys and certificates • Verify individuals • Verify certificate • Maintain public Provide key generation key & certificate software & criteria for certificate Provide key generating software Customer or Private Certificate Trading Partner Proof of identification Authority • Generate own key • Verify individual pair • Generate key pairs • Keep private key Certificate for employees • Escrow private keys Employee for employees • Issue certificate • Keep private key Send private key & certificate • Maintain public key & certificate

What does key management involve?
Key generation Key registration Key escrow and recovery Key pair Encryption pair Key updates and replacement Key revocation and destruction

Additional Authentication Methods
One-time passwords Smart Cards Two-factor identification Challenge-response Valid password/thumbprint provided Calculation of current password by smartcard/token Display of current password Entry of current password by user Authentication by host computer using all three data Biometrics

Accountants need skills to understand Confidentiality Message Integrity Authentication Nonrepudiation Access Controls Internal Control and Risk Analysis

Chapter 11 Firewalls

Firewalls Firewalls Defined TCP/IP and Open Systems Interconnect
Components and Typical Functionality of Firewalls Personal Firewalls Network Topology and Demilitarized Zones Securing the Firewall Factors to Consider in Firewall Design In-House Solutions versus Commercial Security Software Limitations of the Security Prevention Provided by Firewalls Implications for the Accounting Profession

What are firewalls? Firewalls are a system, or a group of systems, that enforces an access control policy between two networks. Firewalls should have the following characteristics: All traffic in either direction should be tested by the firewall. Only authorized traffic as defined by the local security policy is allowed to pass through it. The firewall system is immune to penetration. Cheswick and Belloven, 1994 From the 2000 CSI/FBI study: 58% of companies had security incidents from outside perpetrators 59% reported that their Internet connection was a frequent point of attack. 78% reported the use of firewalls.

Transmission Control Protocol/Internet Protocol (TCP/IP)
The TCP/IP stack includes: Physical/Network layer IP layer Transport layer Application layer TCP/IP stack involves interfaces with hardware, operating systems and applications.

TCP/IP Stack Physical/Network Layer
Accepts packets and transmits them over the network, mapping each computer’s network interface card (NIC) to a programmed IP address. Physical Networking protocols include Ethernet, Token Ring, Fiber distribution Data Interface, etc. Logical networking protocols include Address Resolution Protocol, Reverse Address Resolution Protocol

TCP/IP Stack IP Layer IP layer
Routes packets across the network, choosing the fastest path Protocols include Routing Information Protocol (RIP) Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), etc.

TCP/IP Stack Transport Layer
Manages the virtual session between the two computers: receives packets, organizes them, and sends acknowledgements (ACK) back to the sender, asking for any lost packets. Manages the transmission/reception of User Datagram Protocol (UDP) packets

TCP/IP Stack Application Layer
Manages the networking applications, formatting data for transmission on the network For example, Universal Resource Locators (URL) hyperlinks involve HTTP and HTML protocols

Figure 11-1 TCP/IP and OSI models
TCP/IP STACK OSI MODEL APPLICATION APPLICATION PRESENTATION SESSION TRANSPORT TRANSPORT INTERNET (IP) NETWORK NETWORK DATA LINK INTERFACE PHYSICAL

What are the inherent security risks of the Internet?
TCP hijacking IP spoofing Network sniffing Businesses need to examine the security procedures used by their Internet Service Providers (ISPs).

What are the categories of firewalls?
Static firewalls Default permit Default deny Dynamic firewalls Allow both permit and deny to be established for a given time period Requires more maintenance Provides more flexibility

What are the components of firewalls?
Chokes Limit the flow of packets between networks Decision to pass or block depends on the rules set up by the firewall administrator Gates Control point for external connection Similar to gateway server. Proxy servers Take the place of other servers to allow access authorization testing.

Figure 11-2 Gates, chokes, and default deny filtering
SMTP FTP FTP SMTP TELNET TELNET FTP SMTP SMTP HTTP TELNET FTP FTP SMTP HTTP PACKETS Rejected Packets SMTP HTTP SMTP CHOKE GATE DEFAULT DENY Application Level Filtering Rule: Deny everything Except FTP and TELNET Corporate Internal Network FTP FTP TELNET

Firewalls Typical Functionality
Packet filtering: Chokes and gates Network address translations: Graphical administration Application-level proxies Stateful inspections Virtual Private networks Real-time Auditing and Monitoring

Packet Filtering Packet filtering can be performed by a router, a firewall, or both. Transport Level Filtering: Routers Verifies authorization for the destination network or host addresses and destination transport connection point Granularity is the level of detailed filtering provided Proxies are used to control network traffic at application level. Traffic filtering is also available at the IP and transport layers.

Application-based filtering- firewall Packet-filtering- routers
APPLICATION HTTP desired program LAYER TRANSPORT TCP provides the LAYER or connection UDP NETWORK IP locates destination LAYER IP address & routes message LINK Ethernet physical devices Application-based filtering- firewall Packet-filtering- routers TCP/IP

What is IP Spoofing? IP spoofing occurs when an attacker disguises his or her originating host server or router as that of another host or router. Filtering rules that deny external network packets that originate from internal address are preventative Audit logs are detective controls

Network Address Translation
Corporations save money on IP addressing costs by reassigning temporary Internet-unique IP addresses to outgoing sessions. This method protects external parties from learning about internal network structures.

Application Level Proxies
Redundant services that test the request before performing it May require the user to authenticate themselves before the packets are analyzed. Proxy server then establishes a session with desired web address and requests the same file(s) as the user request. Firewall tests for viruses, and risky Java applets before passing the information to the user.

Stateful Inspection Compares each packet to a state table
Tracks inbound/outbound connections and authorized connections are recorded to a state table Subsequent, identical connections are allowed without repeated authorization processes Virus scanning and Java program scanning is more difficult than with application level proxies.

Virtual Private Networks (VPN’s)
Create a secure “tunnel” through untrusted networks. Usually requires the download of client software to the remote user’s machine. Connection is secured and authenticated through encrypted messages. Lower cost when compared to leased, private lines. Standard and Poor’s example

Real-Time Monitoring and Intrusion Detection Systems
Provide robust auditing and monitoring capabilities Can send emergency signals to the firewall administrator when a pre-determined threshold of denied access attempts occur. Denied requests are logged and analyzed. Intrusion detection systems (IDS) focus on identifying outsider scanning of ports. 50% of companies currently use IDS devices.

Personal Firewalls Free firewalls: Personal firewall functionality:
Zonealarm.com Sygate at zdnet.com Personal firewall functionality: Programmable times for denying Internet access Port probing monitors with reports Ability to deny services from remote users Tracking of all Internet connections Ability to filter out requests stemming from denial of services and Trojan horse-type attacks

Network Topology Network Topology refers to the physical architecture of a network system. Server firewalls should not be the ONLY filtering control between internal and external networks. Router filtering should also be utilized. Network topology affects network performance.

Ethernet segments Internet Router Firewall system
Corporate Internal network Ethernet segments

What is a Demilitarized Zone (DMZ)?
A DMZ is a sub network that is located between the internal system and the external network. DMZs increase the cost of the firewall system and slow the processing time Access is controlled but not prevented by firewall technology. Can lie between two firewalls Can lie off of a separate segment from one firewall Can also function as e-Commerce servers, Web servers, FTP servers, etc. Traffic that originates from the DMZ and destined to internal systems should be limited and controlled.

Internet Filter - Internet Access Router Gateway Systems Demilitarized Zone Filter - Bastion Host Corporate Internal network

Securing the Firewall - Policy
Network Security Access Policy - A high-level policy of network security services allowed must be defined as well as how they may be used processes that must be taken to make changes to rule bases must be determined processes for acceptable exceptions to policy and supporting documentation necessary must be determined Firewall Design Policy - addresses how the denied services will be restricted and how the allowed services will be permitted

Securing the Firewall Firewall Security should include the following:
Firewall Policy Firewall Administration Firewall Services Internal firewalls Authentication – individual-level controls Operating system controls

EXAMPLES Computer Resources Security Policy Floppy disk and hard drive back-up Shredding of printed, unclaimed, sensitive documents Virus scanning software Network Service Access Policy General Rule: Deny access to a specific host computer from internal addresses Exception: Allow selected internal users using strong authentication devices to access this system next Wednesday from PM Firewall Design Policy How will requests be directed to a specific site? How will FTP PUT commands be restricted?

Securing the Firewall: Policy Generation
The order of policy formation is important Start with the Computer resources policies Then design Network service access policies Clearly stating the procedures for exceptions to be qualified and authorized. Then design firewall policies How denied services will be restricted How permitted services will be allowed

Securing the Firewall - Administration
The 1998 CSI/FBI reported mismanagement as the number 1 reason for firewall breaches 93% due to firewall weakness and mismanagement Rule-bases should be periodically reviewed Administration procedures should be documented and followed. The number of administrator accounts should be limited and one-time passwords used

Securing the Firewall Services
Only approved vendor software should be used Unnecessary and potentially dangerous services should not be used: TELNET and FTP: allow remote users to login Use strong passwords that are linked to specific terminals/locations with encrypted storage and transmission Use proxy FTP servers, and DMZs Monitor connection attempts Finger Services Authorization and Use Logs: Deny/block access to these files

Securing the Firewall Internal Firewalls
Internal network topography can include a backbone supporting several subsystems that need their own firewalls. This modulation of subsystems effectively limits the total areas that are compromised when hackers access one area. Internal networks protect against internal threats

Securing the Firewall: Operating System Controls
User and group settings File and directory permissions Remote file system access Operating system initialization files Scheduling of jobs Other core operating system settings Trusting relationships Networking services monitor

Firewall Design Factors
Deny Capability - The firewall should be able to support a “deny all services, except those specifically permitted” policy. Filtering - The ability to judiciously and dynamically employ filtering techniques, such as permit or deny services, for each host system is crucial to a good firewall design. Security Policy - Developing a security policy is a precursor to designing and implementing effective firewalls.

Firewall Design Factors - (cont.)
Dynamic - Networking environments are fluid and the firewall design should allow agility. Authentication - The firewall design should utilize strong authentication devices and be continually updated to incorporate the most advanced and feasible authentication devices that emerge. Flexible Filtering - The firewall should employ a flexible IP filtering language that can filter on as many attributes as is deemed necessary: source and destination transport connections, IP addresses, and inbound and outbound interfaces.

Recognize Dangerous Services - It should identify such services and either disable them for outside users or use proxy services in DMZs to reduce exposure from such services. Filter Dial-in Access - It should be able to filter dial-in access and limit access ports. Audit Logs - It should log traffic and suspicious activity and should displayed it in an easy to understand format. Current Version - It should have the most secured version of the operating system installed with any known patches to known problems installed as well

Good Documentation - The firewall development process should be implemented in a fashion that provides checkpoints and a verifiable log of actions taken during its development, implementation, and maintenance.

Choosing a Firewall Vendor: In-house Solutions vs
Choosing a Firewall Vendor: In-house Solutions vs. Commercial Security Software The reputation of the vendor. Request references! Does the software meet the requirements in the network service access policy/firewall design policy? Does the vendor have 24 hour, 365 days a year support? How reliable is this support? Does the vendor provide training? How timely does this vendor release updates/patches? Do they provide support for installing security patches? How does this software fit in with future networking expansion plans?

Limitations of Security Provided by Firewalls
Firewalls are just one component of security Firewalls are continually changing Firewalls can only protect a firm from the type of attacks the firm has included in their policies and rules. Firewall users need to be aware of risks associated with attached files Humans may over-rely on their firewall capabilities - this is dangerous!

New opportunities exist in the areas of: Penetration Testing and Risk Exposure Provider of Network Solutions Forensic Accounting Intrusions Investigation

Chapter 12 Electronic Commerce Payment Methods

What are the different e-Commerce Payment Methods?
The SET Protocol Magnetic Strip Cards Smart Cards Smart Cards and Mobile Commerce Electronic Checks Disposable Credit Card Numbers Electronic Cash Implications for the Accounting Profession

Chapter 12 Objectives To distinguish between alternative electronic payment mechanisms To understand the underlying structure of the SET protocol and how it is different from SSL To understand the role of certificate authorities in electronic payment processes

How can you pay/get paid online?
Credit cards Magnetic strip cards Smart cards Electronic checks Debit cards Electronic cash

Secure Sockets Layer (SSL)
Works well for data confidentiality Not so well for authentication unless the sender, not the server, has a digital certificate registered with a trusted third party, such as Veri-Sign

Depiction of SSL Process
Sender Receiver 2. Encrypt DES Key with RSA Public Key 3. Decrypt key with RSA Private Key 1. Encrypt message with private DES key Transmitted Message Encoded Message Cleartext Message Cleartext Message encrypt decrypt 4. Decrypt with DES private key

Secure Electronic Transaction (SET) Protocol
Developed jointly by MasterCard and VISA to provide a secure environment for transmission of credit card information Version 1.0 features include: Confidentiality of information: encryption Integrity of data: digital signatures and certificates Cardholder account authentication: digital signatures and certificates Interoperability: defined protocols and message formats.

Set vs. SSL FEATURE SET SSL Secure Transmission of Data Yes Yes
Identify Authorized Purchasers Yes No Verify Validity of Account Yes No Identify Legitimate of Payment Brand for Merchants Yes No Track Sales Slips and Totals Yes No Validate Merchant’s Credit Policy Yes No

Merchant Cardholder Payment Gateway (Acquirer) Certificate Authority Registration Information Issued Purchase Request Purchase Response Authorization Request Response Verification of Trust Chain Authorizes and Processes the transaction

What are the four SET Components?
Wallet - performs cardholders’ authentication Merchant Server - authenticates merchant and its accepted payment brand Payment Gateway - processes payments and authorizations Certificate Authority - manages certificates for wallets and merchants; allows for branding

Approved Extensions to SET
Payment instructions will include: BO’ card (France product) information to be included in the payment instructions Hardware token information PINs Exchange of payment options in Japan Allows the merchant party to use SET, while the others do not have to Transports chip card data in purchase request message Transports track-2 data in purchase request message Allows purchase request message to carry credit card verification data

What is the Certificate Trust Chain?
A hierarchy of trust used to verify the certificates used in SET transactions SET’s root certificate authority is off-line and performs the following functions: Generates and securely stores the SET root certificate authority’s public and private keys Generates and “self-signs” the SET root certificate authority’s certificates Processes brand certificate requests and generates SET brand certificate authority certificates. Generates and distributes certificate revocation lists. Setco, 1999

Certificate Authority Signature
Cardholder’s Certificate Payment Gateway’s Off-line Root’s Certificate Authority Signature Merchant’s Brand’s Certificate made available by SETCo Adapted from SETCo’s Specification, Version 1.0

What cryptography does SET use?
Both symmetric (private) keys and public-private key pairs are utilized. Digital envelope: The sender’s private symmetric-key encrypted message and The recipient’s public key encryption of the sender’s private symmetric key. Message digests are utilized with the digital envelopes to protect The integrity of the message Message confidentiality during transmission That only the intended recipient can decode the digital envelope Authentication of the sender

What are dual signatures?
Incorporate the use of the generation of two messages, one for the acquirer and one for the merchant Each message contains only the information that is essential to that particular party in order to protect the privacy of as much information as possible

Financial Institution’s
Bidder/ Purchaser Auction House/ Merchant Bidder’s Financial Institution’s Acquirer Silent Bid for Rare Item Calculate MD1, MD2 and DSMD Message authorizes payment to auction house if offer is accepted, but no details about what item is bought MD2 and DSMD encrypted with Bidder’s private key Message includes $amount offered for which items, but no account information MD1 encrypted with 1b 1a Decrypt message with Bidder’s public key Recompute MD1 Determine whether to accept bid Message that offer is accepted from bidder MD1 encrypted with auction house’s private key 3 2 Decrypt 1a with bidder’s public key Recompute MD2 Decrypt 3 with auction house’s private key - now have MD1 Combine MD1 and MD2 Recompute dual signature and verify against DSMD sent by Bidder 4

SET Logo/Compliance Testing
Must submit results of test case data SETCo reviews the software capabilities and the accuracy of performance of the essential functionalities of the SET protocol using this data set of test cases To see an updated version of organizations that have passed compliance testing see

Magnetic Strip Cards Over 1 billion used worldwide
Cards have magnetically encoded strips with data, usually with standard data methods On-line - reads data and accesses a database Off-line - all necessary data is stored on card Smart Card – more processing and storage Hybrid cards – combine magnetic card and smart card technologies.

User’s Picture ISO Magnetic Field Identification Code Special Magnetic Field used for Photocopy Machines

Lehigh’s Central Computer Buildings Access Checkout Library Books On-line Magnetic Strip Component Various Campus Dining Places Off-line Magnetic Strip Component Various Photocopying Machines Laundry Equipment Vending

What are smart cards? Contain a microprocessor and storage unit. Need a special reader attached to computers in order to perform. More durable, but less expensive Memory smart cards – less processing, used for simple storage, like holding spending money Microprocessor smart cards - additional feature of greater storage and processing capabilities Contactless smart cards – for wave-by’s as in transportation applications Electronic Purse - refers to the monetary value that is stored on the microprocessor Open Transaction Platform protocol by Funge Systems

LOYALTY PROGRAMS Boots Advantage Over 10 million cards Shell Over 5 million cards HEALTHCARE PROGRAMS Gemplus-Belgian Social Identity Cards Over 11 million cards Slovenian National Health Insurance Cards Over 2 million cards FINANCIAL Germany GeldKarta Over 40 million French Chip Card - GIE Carte Bancair Over 25 million TELEPHONY Mobile Telephone Industry Over 250 million smart cards in use worldwide MASS TRANSIT Motorola & Amtrak Expected > 10 million smart cards Education U.S. College Ids Over 1 million smart cards

Smart Card Holder Inserts Card
into Machine and Downloads Money onto the microprocessor on the card Merchant Bank Consumer Pays for Merchandise/Service by Inserting Smart Card into Merchant’s Smart Card Reader Merchant’s Smart Card Reader Smart Card Take to Bank for Credit for day’s sale or cash At end of the day, the merchant inserts a smart card to receive a download of the day’s sales McGraw-Hill, 2001

American Express Blue Smart Card
The Blue Card has both a magnetic strip for traditional credit card use as well as a smart chip for Internet purchases. The electronic purse has the following characteristics: Purchasing history Shipping and billing data Card number Automatic completion of online forms User ID and password recording/entering at many merchants.

Smart Cards and Mobile Commerce
Telephones/PDAs that have smart card reader slots allow smart cards to be used to Pay for items purchased over the telephone Download money from bank accounts to a smart card Transfer balances between accounts Check bank account balances Secure Authenticated Counter (SAC) to authenticate and secure payments using business rules and screening systems.

Mobile Devices and e-Commerce
Telephones and Personal Digital Assistants conduct electronic payments by: Storing the electronic purse on a smart card that inserts into a wireless device Store the electronic purse on a chip in the wireless device Store the electronic purse remotely on the financial institution’s server

Figure 12-10 Wireless, smart card phone growth

Figure 11-12 Projected users of wireless financial services

What are electronic checks?
The payor instructs its financial institution to pay a specific amount to another party, the payee Consumer requests online bill and initiates payment, fills form, verifies, and submits payment Funds are transferred to business owed, typically with an ACH transfer BillPoint and PayPal new services that allow Consumer-to-Consumer check services

Biller Presentment Systems
Allow customers to view and pay bills from the payee’s web site CyberCash estimates that a company can cut bill processing costs by as much as 50% by hosting a biller presentment system Bill Concentrators - A third-party that performs the functions of bill presentment and payment transfer FirstUnion

Electronic Billing Methods
Internet websites can perform the following: Present the bill to the payor Allow the payor to initiate payment of the invoice Provide remittance information Allow payor to initiate automatic payment authorizations for a specific amount or for a range of amounts Interface with financial management software and transaction processing software. Allow payments to be made to mew business with which the payor has never before transacted

Figure 12-13 American Express’ one-time-use credit card number
Register with AmericanExpress .com for online services (Credit card number must be entered at this point.) Download software (Free) Shop online American Express Non - American Express Profiled Site Profiled Site Private Payments box automatically Click on AE Private Payments icon appears on screen tray that is always on the screen. Login Screen (User ID and Password) Select which credit card to use (if you have multiple cards) View unique, one - time use credit card number and expiration date Type or drag unique, one - time use credit card number and expiration date into merchant’s standard form

Disposable Credit Card Numbers
American Express and Discover created one-time-use credit card numbers Work like an imprest account, set up prior for exactly the purchase amount. Merchants never see the true credit card number Slow in adoption because it requires an extra step over the smart card.

Electronic or Digital Cash
Prepaid, stored value that can be used for electronic purchases in lieu of cash. Used primarily for anonymity PayPal (not anonymous), DigiCash (anonymous) An “embossment” process is used to add value to a “coin” from a user’s account without recording any information linking the user to the embossed coin

Bank Remove $1 from Alice’s account & “emboss” the digital envelope and blank coin with validating signature Place blank coin in digital envelope Create a blank coin $1 $1 Remove coin from digital envelope $1 Redeem coin Alice Recognizes its own “emboss” (validating signature) and honors the coin $1 Spend Coin Merchant

Audit Implications - the only method that can be used to trace an electronic transaction is to understand the underlying programs and digital methods used to create the transaction Electronic Bill Presentment and Payment Systems Service Provider Opportunities

electronic commerce Marilyn Greenstein Miklos Vasarhelyi

Similar presentations

Presentation on theme: "electronic commerce Marilyn Greenstein Miklos Vasarhelyi"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

electronic commerce Marilyn Greenstein Miklos Vasarhelyi

Similar presentations

Presentation on theme: "electronic commerce Marilyn Greenstein Miklos Vasarhelyi"— Presentation transcript:

Similar presentations

About project

Feedback