Ecommerce Security IssuesCustomer Security: Basic PrinciplesMost ecommerce merchants leave the mechanics to their hosting company or IT staff, but it helps to understand the basic Any system has to meet four requirements: privacy: information must be kept from unauthorized integrity: message must not be altered or tampered authentication: sender and recipient must prove their identities to each -repudiation: proof is needed that the message was indeed Privacy is handled by In PKI (public key infrastructure) a message is encrypted by a public key, and decrypted by a private The public key is widely distributed, but only the recipient has the private For authentication (proving the identity of the sender, since only the sender has the particular key) the encrypted message is encrypted again, but this time with a private Such procedures form the basis of RSA (used by banks and governments) and PGP (Pretty Good Privacy, used to encrypt emails)Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often used only as a first step — to allow two parties to agree upon a key for symmetric secret key Here sender and recipient use keys that are generated for the particular message by a third body: a key distribution The keys are not identical, but each is shared with the key distribution center, which allows the message to be Then the symmetric keys are encrypted in the RSA manner, and rules set under various Naturally, the private keys have to be kept secret, and most security lapses indeed arise :Digital Signatures and CertificatesDigital signatures meet the need for authentication and To vastly simplify matters (as throughout this page), a plain text message is run through a hash function and so given a value: the message This digest, the hash function and the plain text encrypted with the recipient's public key is sent to the The recipient decodes the message with their private key, and runs the message through the supplied hash function to that the message digest value remains unchanged (message has not been tampered with) Very often, the message is also timestamped by a third party agency, which provides non-What about authentication? How does a customer know that the website receiving sensitive information is not set up by some other party posing as the e-merchant? They check the digital This is a digital document issued by the CA (certification authority: Verisign, Thawte, ) that uniquely identifies the Digital certificates are sold for emails, e-merchants and web-:Secure Socket LayersInformation sent over the Internet commonly uses the set of rules called TCP/IP (Transmission Control Protocol / Internet Protocol) The information is broken into packets, numbered sequentially, and an error control Individual packets are sent by different TCP/IP reassembles them in order and resubmits any packet showing SSL uses PKI and digital certificates to ensure privacy and The procedure is something like this: the client sends a message to the server, which replies with a digital Using PKI, server and client negotiate to create session keys, which are symmetrical secret keys specially created for that particular Once the session keys are agreed, communication continues with these session keys and the digital :PCI, SET, Firewalls and KerberosCredit card details can be safely sent with SSL, but once stored on the server they are vulnerable to outsiders hacking into the server and accompanying A PCI (peripheral component interconnect: hardware) card is often added for protection, therefore, or another approach altogether is adopted: SET (Secure Electronic Transaction) Developed by Visa and Mastercard, SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant, customer and More importantly, sensitive information is not seen by the merchant, and is not kept on the merchant's Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and Equally important is protection from malice or carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized TransactionsSensitive information has to be protected through at least three transactions:credit card details supplied by the customer, either to the merchant or payment Handled by the server's SSL and the merchant/server's digital credit card details passed to the bank for Handled by the complex security measures of the payment der and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing Handled by SSL, server security, digital certificates (and payment gateway sometimes) Practical C The merchant is always responsible for security of the Internet-connected PC where customer details are Virus protection and a firewall are the minimum To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage Always keep multiple back-ups of essential information, and ensure they are stored safely off- Where customers order by email, information should be encrypted with PGP or similar Or payment should be made by specially encrypted checks and ordering Where credit cards are taken online and processed later, it's the merchant's responsibility to check the security of the hosting company's Use a reputable company and demand detailed replies to your Where credit cards are taken online and processed in real time, four situations arise:You use a service Sensitive information is handled entirely by the service bureau, which is responsible for its Other customer and order details are your responsibility as in You possess an ecommerce merchant account but use the digital certificate supplied by the hosting A cheap option acceptable for smallish transactions with SME Check out the hosting company, and the terms and conditions applying to the digital You possess an ecommerce merchant account and obtain your own digital certificate (costing some hundreds of dollars) Check out the hosting company, and enter into a dialogue with the certification authority: they will certainly probe your You possess a merchant account, and run the business from your own You need trained IT staff to maintain all aspects of security — firewalls, Kerberos, SSL, and a digital certificate for the server (costing thousands or tens of thousands of dollars) Security is a vexing, costly and complicated business, but a single lapse can be expensive in lost funds, records and Don't wait for disaster to strike, but stay proactive, employing a security expert where Sites on our resources page supplies
Managing Channels of Distribution Under the Environment of Electronic Commerce【英文篇名】 Managing Channels of Distribution Under the Environment of Electronic Commerce 【作者英文名】 ZHENG Bing~1 FENG Yixiong~2 College of Economics & Management; Dalian University; Dalian 116622; China State Key Laboratory of CAD&CG; Zhejiang University; Hangzhou 310027; China; 【文献出处】 武汉理工大学学报, Journal of WuhanUniversity of Technology, 编辑部邮箱 2006年 S2期 【英文关键词】 marketing channels; distribution strategy; customer demand; electronic commerce; Fair E-Payment Protocol Based on Simple Partially Blind Signature Scheme【英文篇名】 Fair E-Payment Protocol Based on Simple Partially Blind Signature Scheme 【作者英文名】 LIU Jingwei; SUN Rong; KOU Weidong State Key Laboratory of Integrated Service Networks; Xidian University; Xi’an 710071; Shaanxi; China; 【文献出处】 Wuhan University Journal of Natural Sciences, 武汉大学自然科学学报(英文版), 编辑部邮箱 2007年 01期 【英文关键词】 electronic commerce; e-payment; Schnorr signature; partial blind signature; 【英文摘要】 This paper presents a simple partially blind signature scheme with low By converse using the partially blind signature scheme, we build a simple fair e-payment In the protocol, two participants achieve the goals of exchanging their digital signatures from each other in a simple An ad- vantage of this scheme is that this approach does not require the intervention of the third party in any The low-computation property makes our scheme very attractive for mobile client and
