3.5 Online Services and Security and Privacy of Data
By: Momina
Back to Contents
Click for More >>>
Need to Protect Confidentiality of Data
Shop Security
Online Banking Online Shopping
Data Protection Legislation
Social and Ethical Implications of Access to Personal Information
Back to Contents
Need to protect confidentiality of data
• This means that data should only be seen by people who are authorised to see it.
What is the main technique used into ICT to ensure the confidentiality of
data in online systems?Encryption
What is encryption?
Back to Contents
Encryption
• This is a process by which ordinary data is converted into a secret code. This is done so that anyone unauthorised to see the data doesn’t.
• However, they do have the ability to delete the information that they intercept.
• On the receiving on of the encrypted data it is decrypted using a secret key.
Note:Unencrypted data is called plain textEncrypted data is referred to as cipher text
Back to Contents
Shop Security
There are two types of encryption keys:1. Public encryption key2. Private encryption keyPeople have a public encryption key they can tell
everyone about. And they have a private encryption key, which only they know about.
So what?
Back to Contents
So…• If you know a persons public encryption key; you can encrypt a message and send it
to them. But ONLY that individual can decrypt the message using their private
key. • For example: When John wants to send a secure
message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
What is a public key system?
Back to Contents
Public Key System
Keep in mind that when we use the Internet to make a payment; all these tasks of encrypting and
decrypting happens in the background (so we don’t see it)
“This is used to encrypt data that is transmitted using the
Internet for payment purposes”
Back to Contents
Online Banking
• Encryption does not prevent hackers from accessing your PC. These hackers could use a key logging software. This allows them to detect the keys you are pressing on the keyboard. (this may also allow them to discover your password)
Additional Methods of Security
“Online banking uses secure sites and all the data
transferred using the Internet including your password, is
encrypted.”
Back to Contents
Additional Methods of Security
1- Use Transaction numbers (TANs): these are passwords that can only be used once. This could be sent to you via a text message
from the bank. They are only valid for a few minutes thus reducing the time for a hacker to intercept and use it.
2- Ask the user to type in only part of the password. Every time the user logs in they are asked for the part of the password in a different combination (i.e. 2nd character, 3rd character, and 6th
character)
3- Providing the customer with a handheld chip and PIN device. This device generates single-use passwords. Several things are
required by the user to access their account, it includes the following:
• debit card•PIN number•Online security number•Chip and PIN itself
A customer enters the card into the device and enters their PIN number. They are then issued with an 8-digit code. Using this they can then log in.
Back to Contents
Online Shopping
• It is the customers responsibility that they use a reputable, secure online store.How do you know if data is being transmitted in a secure way?
1. The ‘https’ prefix in the URL compared to the normal ‘http’
2. The secure socket layer (SSL)- the pad-lock sign at the bottomof the screen.
Protocols used in the encryption of messages between a client computer and server
Few Important Points
Back to Contents
Important Points × The customer MUST check the contact details of the
company to ensure reliability.× The store MUST have a privacy policy and the customer
MUST read this. If the store does not have one, or the customer is unsure about some parts of it, they shouldn’t trust the online store.
× The customer must know exactly what they are buying. “Both description and what to do in the event that they are not satisfied should be clear.”
× A customer must always print out the details from the transaction they make in case of future disputes.
Back to Contents
Data Protection Legislation
What does it do?It keeps data private as well as confidential.For example:The UK Data Protection Act states• Personal data shall be processed fairly and lawfully.• Personal data shall be obtained only for a lawful purpose.• Personal data shall be accurate and will be kept up-to-
date.• Appropriate measures will be taken against unauthorised
processing of personal data
Punishment for breaking ANY rules listed in the UK Protection Act is a very
large fine.
Back to Contents
Social and Ethical Implications of access to Personal Data
Duty of Confidence
Duty of Fidelity
Responsibility for passing on information
Anonymised Information
Aggregated Information
Breaches of Confidence
Need for Security
Identity Theft
Phishing
Spyware
Online Auction or Shopping Fraud
Back to Contents
Duty of Confidence
• They must not tell anyone or use the information for any reason except with the permission of the person who it told them.
• Confidential data includes business secrets or personal information.
• This could be between an employee and employer.
• The employee is asked to sign a confidentiality agreement.
Back to Social/ Ethical
Implications
Back to Contents
Duty of Fidelity
• This is when an employee must remain loyal to their employer.
• They must not tell any of the rival companies about their work.
• However, once an employee leaves a company they have the free liberty of using their skills and knowledge that they acquired from the company.
Back to Social/ Ethical
Implications
Back to Contents
Responsibility for passing on information
• When a company passes on information about any individual they must ensure that the least amount of information that could identify the individual is used.
• Things like online banking or online shopping require you to give them your personal information. It MUST be ensured that information is not passed from organisation to organisation without authorisation from the individual.
Back to Social/ Ethical
Implications
Back to Contents
Anonymised Information
• This is when information about an individual is passed on without the mention of their name.
• Companies should always omit any personal details wherever possible.
Back to Social/ Ethical
Implications
Back to Contents
Aggregated Information
• It is a summary of personal information without naming the person.
For example:All the people who are above the age of 60 and have
diabetes.This way no one can be identified.
However, there is a downside to this. There might be only one person in the whole hospital so
identification of the person will be easy and may be embarrassing for the individual.
Back to Social/ Ethical
Implications
Back to Contents
Breaches of Confidence
• This is basically a ‘non-disclosure agreement’.
• All employment contracts should have a duty of confidence clause.
Back to Social/ Ethical
Implications
Back to Contents
Need for Security
• All organisations need to protect they computerized information.
• Many people don’t use online banking because they are scared that people will defraud them.
Back to Social/ Ethical
Implications
Back to Contents
Identity Theft• It starts off by stolen credit card details.So when does it all go wrong?Scenario: Purchase is made at a restaurant;
the customer lets the waiter take their credit card out of their sight.
The card is then skimmed on a special reader and all the details from the card are
copied from the card.
A less obvious way would be…
Back to Social/ Ethical
Implications
Back to Contents
Identity Theft
• Sometimes the machine is below the cash till and the customer hardly notices that it has been skimmed as well as swiped for the transaction.
Another Method:Retail outlets’ databases are hacked into and all
the customer data is copied for illegal use.
When data is encrypted, it at some point does need to be decrypted and at that point the information becomes vulnerable to theft.
Back to Social/ Ethical
Implications
Back to Contents
Phishing
• This is when a fraudulent email is sent to a person. It will seem as if the email is sent by the bank however in reality it isn’t.
• The email will request the person to give their password, card or account number and other security details.
What is pharming?
What the phishers do is that they include the website address for the customer to go on to. And this website
looks legit. This fake website is set up PURELY to get customer
details.
Back to Social/ Ethical
Implications
Back to Contents
Pharming
• This is when a fraudster REDIRECTS a genuine websites traffic to their own website.
• The customer thinks that they are dealing with their bank site but they are actually sending details to the fraudsters website.
Back to Social/ Ethical
Implications
Back to Contents
Spyware
• This is a software that customers unknowingly download.
• It usually is attached to a software which the computer user downloads.
• The fraudster has attached spyware to gather personal details of the user.
• They do this by using a key logging software when the user logs on to their bank account of online shopping.
Back to Social/ Ethical
Implications
Back to Contents
Online Auction or Shopping Fraud
• This is when somebody sets up a genuine site and puts up expensive items for sale and then they don’t deliver it or they send a cheap imitation.
• They take the money but never deliver the goods.
Back to Social/ Ethical
Implications