CONDUCTING E-COMMERCE

with

Peter Paolucci, Ph.D.

10 LIES ABOUT E-COMMERCE

Instant and ubiquitous availability Simplifies buyer-seller relationship Reduced paperwork Reduced errors, time & overhead costs Reduced time to complete transactions Easier entrance into new markets Provides new business opportunities Wider access to experts and peers Improved product analysis Streamlined purchasing process

TCP/IP

How info is transported “Transmission Control

Protocol”

How info is addressed “Internet Protocol”

TCP/IP Key points

Routers handle packets

Packets follow corridors Every new router is a “hop” Packet acknowledgment when rec’d

Info moves in pieces: not in 1 chunk

TCP/IP Considerations

Check tracert and ping Every hop = potential security

weakness

Solutions VPN (virtual private network) Encryption

FRAMES & PACKETS

“packet” vs “frame”

Packet = any piece of information transmitted across Internet

Frame = information passed between hosts on a Ethernet network

DataHeader Trailer

SERVER CHOICES Proprietary vs open standard solutions Scalability Support levels (human resources) Hardware & licensing costs Access Frequency of patches/updates needed Hosted/owner by whom?

SERVER CHOICES I Kind of server affects your

security issues

Apache (Unix or Microsoft) Linux Netscape Suite Spot Microsoft IIS Lotus Notes Novell

SECURITY METHODS

Authentication (personal/domain/machine)

Data confidentiality (encryption)

ABOUT SECURITY What is security in non-Internet context? What is security in the Internet context? How secure can a system/transaction be? How much money and resources should you

spend?

SECURITY ISSUES

Confidentiality Privacy Data integrity System integrity

AUTHENTICATION

Who are you? Are you really you? Is this action from your computer? Is this action from your domain? Is this action from your ISP? Is the content of the transmission strictly confidential? Has message integrity been retained? (no tampering)

E-AUTHENTICATION

Is this your credit card? Is this your bank? Do you have the funds?

SYMMETRIC ENCRYPTION

AKA “single key” encrypts and decrypts 1 password on both ends (shared secret) Same key encrypts AND decrypts Best to arrange shared password (“key”) in a

secure manner Original message is called “plain text” Encrypted message is called “cipher text”

CRYPTOGRAPHY What is encryption?

1. Hello = 8-5-12-12-15 (how hard is it to steal this key?)

2. Hello = I-F-M-M-P (how hard is it to steal this key?

3. Hello = &%$iIwoie&4@!)(-09UtT (how hard is it to steal this key?)

CRYPTOGRAPHY

Factors1. Secrecy of key

(how hard is it to steal the key)

2. Difficulty of algorithm (complexity of formula)

3. Back doors What method used to generate

randomness (predicable patterns such as system time can be read and mimicked)

[see RSA as an example]

CRYPTOGRAPHY Factors

4. key length 20 bits = 2 to the20th power or 1,048,576 possible values

exist 48 bit now crackable in a matter of minutes 128 bit is standard and would take years to crack US govt allowed up to 40 but max. for products exported

for USA

ONE-WAY ENCRYPTION Aka “hash encryption”

Once password (key) has been encrypted it can never be decrypted

Typical use: ATM machine cards

Used in NT and Unix

For NT and Unix, the admin never knows what a pwd is: they must always create a new password

SYMMETRIC ENCRYPTION: EXAMPLE Ted

Mary

PasswordPlain Text

Cipher TextCipher Text

Plain TextPassword

PLAIN TEXT

CIPHER TEXT

ASYMMETRIC ENCRYPTION

Aka “public key cryptography” (MIT early 1970’s)

1 key for encrypt + 1 for decrypt X sends to Y with Y’s public key: only Y’s

private key can decrypt Reversible:

A encrypts, B can decrypt + vice versa The pairs are matched set 1 key is public: another is private Secure but slow

ASYMMETRIC ENCRYPTION EXAMPLE

Ted’s Private + Public (Random Symmetric)

+ Mary’s Public= (produces)Cipher Text

Mary’s PrivateRandom Public (automatic)

Ted’s Public= (produces)

Plain text

SECURITY STANDARDS

Set by NCSC (North Carolina Supercomputing Center) So-called “orange book”

Level D: minimal or not secure at all -- (like MS Dos); no user distinctions

Level C1: rudimentary access control (login authentication)

Level C2: unique users; system level protection (like Unix)

Level B1: mandatory access control; varied security level; user cannot change permissions on files/directories

SECURITY STANDARDS

Level B2: every file labeled according to its security

level; labels change dynamically Level B3: hardware protection(terminals only connect

through trusted paths); data hiding

Level A1: requires rigorous mathematical proof that system cannot be compromised; also proof that hardware-software must have been protected during shipment to prevent tampering

SECURITY WEAKNESSES Humans: passwords, procedures File system permissions System allows bad passwords Poor firewalls Bugs known and unknown Poor auditing of events Not changing system defaults Restrict parameter/field access in data bases

(along with carefully built CGI)

HACKING METHODS Password and packet sniffing (software &

hardware) Spoofing (brute force or dictionary or

enlightened) Account cracking via dictionary programs Decryption & Brute-force decryption Old-fashioned snooping Capitalizing on system access when someone

leaves their desk

CUSTOMER TRUST Success and Horror Stories

(http://www.zdnet.com/anchordesk/story/story_2759.html)

Customer Protection Tips You Should Address (http://www.paytips.org/contips.htm)

Other “trust” issues

STRATEGIES IN E-COMMERCE

Appropriate goods and services for the Net Successful Marketing (spam, mailers, browser harvesting) Designing a successful storefront Models of Doing Business Promotion (engines, engine ad banners, newsgroups, listservs) Meta, Title and other HTML tags (what the engines

want & some legalities) Competing with the “bot” shoppers Internet Demographics& Miscellaneous

MODEL’S OF DOING BUSINESS

Credit card: Manual (delayed) vs Automated (immediate)

Cyber Cash(http://www.cybercash.com/)

Traditional cheque Cybercash bought by Verisign The bad news about Verisign

THE PROCESS If the client already has a merchant

number You may not use the same # for internet Apply to each of the 3 (or 4) credit cards individually

(Amex, Visa, MC, Discovery) Problem: which visa? CIBC? TD-Canada Trust? BOM? Which MC? Amex not a problem

Learn Canada /Internet Secure

Internet Secure is a broker for all banks and credit cards

One time set up: $395 Send in voided cheque Form to fill out includes

Company name, address, incorporation #, business type (proprietary, sole, corporation) website, description of service, minimum/maximum value of any given order, contact person, pick id and pwd

Learn Canada /Internet Secure

Bring ETF (Electronic Funds Transfer Form) to bank to verify account name and legality of account and its use

Determine funds: us or cdn or both Signed by bank official Establish price catalogue and codes Go to Internet Secure and enter catalogue

prices and code numbers

Fee Structure

CANADIAN DOLLARSCANADIAN DOLLARS

SETUPSETUP MONTHLYMONTHLY / TRANS/ TRANS PLUSPLUS

$395$395 $45$45 $.45$.45 3.75% Visa3.75% Visa

4% Amex4% Amex

$395$395 $25$25 $1.50$1.50 4% Visa4% Visa

4.5% Amex4.5% Amex

$0$0 $20$20 $0$0 9% all9% all

Fee Structure

USA DOLLARSUSA DOLLARS

SETUPSETUP MONTHLYMONTHLY / TRANS/ TRANS PLUSPLUS

$395$395 $35$35 $1.00$1.00 3.75% Visa3.75% Visa

4% Amex4% Amex

$395$395 $25$25 $1.50$1.50 4% Visa4% Visa

4.5% Amex4.5% Amex

$0$0 $20$20 $0$0 9% all9% all

FEE STRUCTURE

Additional fee is either a security deposit (ranging from $4000 up) such as cash or assets

RMRF (Rolling Merchant Reserve Fund) in which they withhold 8% of your sales for 6 months and pay it to you in the 7th month

Transactions are deposited automatically on the 15th and 30th of every month