This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Introduction and background research
Electronic shopping is bringing advantages to both buyers and sellers. For buyers, it helps to study the advantages and compare the prices of various products in a global market. This allows the buyers to select and purchase the best possible product.
"For business organisations, the prime objective is to manage this fundamental formula. Profit = Revenue - cost."(Kalakota and Whinston 1997). According to Kalakota (1997), e-commerce is attractive because it can be used to raise profit by increasing revenue while decreasing cost.
An e-commerce system is a 3 tier client/server computing system, where the client is a customer who sends a request to the server. The server here comprises of web server, application server and the database. The web server interacts with the client as well as the application server. Information transfer occurs via internet and is governed by Hypertext Transfer Protocol (HTTP) which is an application protocol. Both the web server and the web client communicate with each other with the help of HTTP. "In consumer oriented systems, the client side is typically a user on a personal computer with a web browser to interact with the e-commerce system. In business oriented systems, the client side could be 1) a user on a personal computer with a web browser to interact with the e-commerce system. 2) an organisational system that is capable of carrying out purchasing and updating its own electronic documents and databases." (Chan et al. (2001).
In an e-commerce system, the web browser is the interface through which a client can access the server. For instance, in an online book store, the customers or clients access the web server and the application server through their web browsers. Generally, a proxy web server is also set up to enhance security. Here, the client needs to access the proxy web server rather than accessing the other web servers directly. The client first issues a request to the proxy web server. The function of the proxy web server is to retrieve the web page from the web server and to return it to the client. By using the proxy web server, the retrieval time is greatly reduced as it keeps the cache copies of the web pages so that even other users can access them.
Security and Privacy issues
There are some major security requirements in the web based technologies for the clients. They are authentication, authorisation, confidentiality and integrity.
Authentication is one of the major security issues in online shopping. In this technique, the identity of the user is corroborated. This is accomplished by certain methods such as asking for the username and password, matching the fingerprints or biometric details, using credit cards etc.
Now-a-days, authentication using credit cards are more popular. This technique has made one's life to ease, where the customer need not go to a shop for purchasing. Instead, he can do the same sitting at home by providing his details such as the "card number", its "expiry date", customer's name and the "card verification value (CVV) number" of the card. However, this method even renders the customers more susceptible to fraud and identity theft as the above details are clearly visible on the card itself. In order to avoid this, the following methods are recommended.
A secondary password to be created and used by the customer where the credit cards are not presented physically. It is accomplished by using a new technology called "3Dsecure" which is serviced as "Verified by VISA (VbV)" by "VISA" card and serviced as "MasterCard SecureCode" by "MasterCard" respectively. "VbV" certifies that only the legitimate user could have online transactions. The major purpose of the "VbV" service is to keep both the customer's and seller's faith alive and the service is even offered with no charge. The customers can register with the service at the bank's website itself by using their details which appears on the card such as "card number", "customer's name", "expiry date", "CVV number" and the details which do not appear on it like the date of birth and "ATM PIN" of the users. After this, the customer can access the website using the "VbV" password, thereby reducing the scam and fraud.
Confidentiality, reliability and integrity play a significant role in securing the message. The confidentiality confirms that the message has been sent actually to the particular recipient. Next the reliability substantiates the source of the message and finally the integrity, which confirms that the message is unaltered.
Encryption is a technique which is used to secure the data while transmission. For instance, if a customer wants to purchase a book from any online book store, encryption can be used while making his payment. "Basically, the original message, known as plain text is passed through an encryption process. The output message is called the cipher text, which is a scrambled message." (Chan et al. (2001)). This encryption process is governed by an encryption key, which can be a binary number. Decryption process occurs at the output side, where the output message or the cipher text is passed and is governed by a decryption key. Encryption is of two types, namely symmetric and asymmetric key encryptions. In symmetric key encryption, both the encrypted and the decrypted keys are same, whereas they are different in asymmetric key encryption. In both of these encryption methods keys should be created and stored in a secure manner. Data Encryption Standard (DES) is a symmetric key encryption method invented by IBM. "For years DES was an excellent standard, but now fast computers have negated many of its benefits. Since there are only 70,000,000,000,000,000 combinations, modern parallel super computers can crack it fairly quickly." (Smith (2004)). As a result DES had been replaced by triple DES.
For online transactions, a secure socket layer (SSL) encryption method is employed. Here, the communication is carried out through various sockets. Each socket has a different IP address. SSL utilizes a public key encryption method to form a secure connection, but the seller do not possess a public and private key pair. He acquires the pair with the help of a digital certificate, which approves the identity of the seller and also provides the public key to the customers.
Digital signature is one of the finest techniques which ensure that the sender actually sent the data and is preserved. This method ensures the integrity of the data. It is employed through one of the two encryption methods namely, public key encryption method by means of which the source of the message is confirmed. A digital signature is produced by first evaluating the message digest of the data and encrypting it using a private key. The digital signature is then transferred along with the message. At the receiving side, the message digest is decrypted using a public key and the message digest of the receiving message is calculated. Both the message digests are then compared. If they are same, then the integrity of the data is ensured.
DSA and RSA are the major models of digital signatures used. Digital Signature Algorithm (DSA) is the standard of National Institutes of standards and technology (NIST). However, it is used only to create a digital signature but not to encrypt the data. RSA is used both to encrypt the data and to create the digital signature.
Some major threats and their removal :
"Phishing" is one of the major security threats to the online shopping for the customers. The term refers to the theft which steals the customer's identity like the credit card details, user name and password etc when any payment is done. To avoid this, various "phishing filters" are employed. The main function of a phishing filter is to warn a user from suspicious web sites. This is supported by some browsers namely "Windows internet explorer 7 and 8", "Windows Live Tool bar" etc. In these browsers, the phishing filter is to be enabled to work for it.
Hence, a customer needs to enable the option for the phishing filter in his browser before making his payment and if a website is found to be a phishing one, it could be reported within the browser options. In the case of seller's view, the website can be approved safe by selecting the Report this site as safe button in the built-in feedback present in the phishing filter. Further, to prevent the seller's web page from being suspicious by the phishing filter, some practices to be followed are-
- If the personal details are to be asked, the Secure Sockets Layer (SSL) certification needs to be issued by the Certification Authority (CA).
- Next, the browser's URL should follow a Domain Name System (DNS) instead of using the IP addresses directly as it renders the website to be more vulnerable to the hackers.
Conclusion and critical evaluation
Some preventive measures :
- In order to be away from the security threats, a customer needs to access only the shopping websites rather than prefering google search as most of the sites are bogus.
- As the workplaces or workstations owe secure local area network (LAN), shopping at those places would be more safe.
- Purchasing the original softwares from the websites is recommended rather than the pirated softwares as they may contain certain hidden security threats.
- In case of purchasing online softwares, the softwares that attribute the security features are recommended and the seller's price of those should be approximately equal to the price of the software.
Installing firewalls :
Firewalls are installed in to act as a barrier so as to prevent them from the possible attacks. The main purpose of the firewalls is to provide the security to the local area network and the individual computer itself. The network traffic entering and leaving the network must pass through the firewalls. Besides providing the security to the network, they even translate the local network addresses to global network addresses. There are three major types of firewalls, namely-
Packet filtering router :
Packet filtering router is configured at the network layer. It provides only the limited access to be used. The data packets are transferred depending on the IP addresses and the port numbers of the source and destination. Some services can be restricted to the users who are not registered . For instance, the firewall of any online book store can be configured to restrict the external users to access any service such as TELNET by restricting the data packets destined to the port number 23.
Application Gateway or Proxy Server :
This type of firewalls function at the application layer of the network. Prior to use a particular application, the proxy service need to be installed in the firewall. Here, the connection between the source and destination occurs via the application gateway. It helps the users to restrict them to download the executable files because of attacks of virus. It even keeps the IP addresses of the users safe. For instance, in any online book store, when the customer sends his personal information out of the network, the IP address of the customer is kept safe, since the osurce IP address of the application gateway included in the IP packets.
Circuit Level Gateway :
This firewall operates similar to the application gateway. Here, the protocol used is SOCKS version 5.
- CHAN, Henry. et al. (2001). E - Commerce, Fundamentals and Applications. England, John Wiley $ sons.