Security And Governance For eCommerce

The cyberage is set, and netizens are spearheading
ecommerce. Be it a
business to business or business to consumer transaction, technology has driven commerce to price reduction, speedy delivery and quick payments. 

A recent survey indicates that of the total online assessors, only 43% are online buyers, the rest are concerned about the security and privacy of their personal information especially their credit card numbers. Does this mean that those who are transacting on the internet are ignorant about the risk? Many banks are offering internet banking services and online bill payments. Are they secure? Banks offer electronic funds transfer service. Do they offer an
assurance that the customer’s account will not be debited without his consent? How can one be assured that the cyber shopkeeper and its staff will not misuse a credit card number? 

To answer such doubts, it is important to first understand ecommerce. Ecommerce occurs when buying and selling take place electronically and transactions occur on a public network. It is deemed secure, on the basis of measures employed to guard the transaction details both during the transit as well as subsequent to utilization and storage. 

The measures employed for security are broadly legislative and technical in nature. Technical security measures are to be further categorized as preventive and detective. Cyber laws, website security set up and use of cryptography are all preventive measures. Intrusion detection tools, competency of law enforcement agencies and the education of judiciary are detective and corrective measures. Third party assurance certification provides confidence and basic faith in the entire ecommerce process. 

Sound security practises over the years, have proved that preventive measures are more effective than the rest of the measures. Technological security will encompass security of the website, database transaction and credit card information during transmission, emails and payment systems. 

Cyber laws
The countries that have cyber laws already in place, are USA, Australia, Canada, Germany, France, UK, Ghana, Singapore, Malaysia and now India. 

Formulation of cyber laws is an outcome of the ecommerce policy. The ecommerce policy is framed by the respective national committees. We have in India, an IT task force to make a good beginning. The United Nations Commission on the International Trade Law (UNCITRAL) has framed a model law to support the commercial use of international contracts in ecommerce. This law provides for the acceptability of digital signature for legal and commercial purposes. It also supports computer evidence in the court of law. 

In the US, apart from federal statutes-chapter 41, sub chapter 1, part B under various titles, all the individual states have law in place. The titles are – Computer Misuse Act, Computer Crime Act, Computer Related Crime, Crimes Against Property, Computer Related Offences, Specific Offences, Credit Card Offences, Substantive Offences, Fraudulent Access to Computers, Computer Systems and Networks, Crime Against Commerce, Unlawful Use of Computers, Fraud Computer Crime, Offences Involving Theft, Forgery and Related Offences, Offences Against the Right to Privacy, Criminal Mischief and Related Offences, Computer Crime and Abuse Act and so on. The list of titles indicate the areas covered by these acts.

In Australia, it is the Australian Crimes Act of 1914 which covers the necessary aspects of cyber law. The Dutch Computer Crime Act takes care of cyber business in Germany. The Canadian Criminal Code in Canada, Law number 90-1170 in France, Ghana Computer Crime law in Ghana and the Computer Crime Act in Great Britain are in existence to combat cyber crime.

The Computer Misuse Act in Singapore, provides greater protection to critical computer systems, copyright to multimedia works and privacy code to safeguard consumer data for industry self regulation. Electronic transaction act, Singapore, is in force from July 1998. In Singapore, by 2001, all government tendering goes online. International cross certification is meant for digital signature and key pair–private key and public key cryptology to protect the information in transit. 

Cyber laws in most countries, are very similar and address similar issues. The only point of difference being the severity of punishment that is meted out to cyber criminals.

A draft of the bill that is to be called Information Technology Act of 1999, will very likely constitute the cyber laws for India. One can expect to see this, as an act to be passed by the government. This is seen as a very significant and essential step towards ecommerce in India.

The Information Technology Act of 1999 may consist of 15 parts across 79 sections, which will provide detailed guidelines for electronic records and signatures, liability of network service providers, electronic contracts, duties of certification authorities, computer crime, data protection and other related amendments to the existing acts. 

The amendments that are likely to be made in various statutes are The Indian Evidence Act 1872, The Indian Penal Code 1860, The General Clauses Act 1897, The Reserve Bank Of India Act 1934 and The Banker’s Book Of Evidence Act 1891. This may be followed by notifications regarding regulations for electronic fund transfer. 

Some resolutions which are expected to get priority due to WTO are:

  • Internet service provider’s capability to launch
    ecommerce.

  • Recognition of digital signatures as a valid evidence in a court of law.

  • Protecting the privacy of information passed on the internet by using cryptography.

  • Security system for credit card numbers under electronic payment system.

  • Legalizing transfer and downloading documents through computers.

The implications of these provisions are:

  • An electronic transaction will comprise of at least three parties–originator, addressee and the network service provider. The act clearly defines responsibility of each party. The originator of the transaction receives acknowledgement from the addressee. This is mandatory. This ensures that none of the two parties deny the transaction.

  • The security of the transaction at both ends, is the responsibility of respective parties as access rights for the information are to be defined by them. If any one attempts unauthorized access, it will be considered a crime and hence the punishment. The punishment may be in tune with the damages caused. 

  • The security of a transaction on the net is not the responsibility of the network service provider. The onus then, is on the two concerned parties to conduct their transaction securely. This is achieved by encrypting the transaction. The law clearly mentions secrecy of keys and any attempt to intercept, trace or track the information will be a punishable crime. Currently cryptology is working successfully and the 128 bit key is yet to be decrypted by the hackers. This will ensure privacy and confidentiality. The transaction or message will bear an electronic signature which will accord authenticity to the electronic transaction.

  • Hackers, intruders and all attempts to illegally access information are punishable crimes. The person found guilty under the act is sentenced to six months of jail, or a fine of $20,000 or both, in Singapore. Some clauses provide a fine of $50,000 and one year jail sentence. The US law provides for 20 years of jail. In India the proposed fine ranges from Rs10,000 to Rs5
    lakh.

  • Some doubts are expressed about safety of firewalls in the context of security facilities. The answer to these doubts are centered around–how you set up your security and how you define your access rights. It is possible to have complete database security, if IT security policy & procedures are in place. 

Security of the website
Securing the website is often an ignored aspect. Only when the site is malformed or contents are changed by hackers, serious attention is paid to it. Here are ten golden rules to secure your website.

n Successful security practices are started early and refined continually during the life of a website. Security should never be viewed as something to be added on later. View it as a basic and integral part of your website design and application design.

  • When a website is being developed and you are changing it from an information-oriented site to a dynamic commerce-oriented site, use separate severs for production and staging. This will let you test the contents and application before they are available to the general public. 

  • Log everything that happens on your machine. All logins, HTTP, FTP attempts–be they authorized or unsuccessful, should be meticulously logged. This will give you a clue in the event of an attack by the hacker.

This information can be used later, to scan any unusual activity like request for files that should not be accessed. Automated Practical Extraction and Reporting Language (PERL) scripts can be useful for this purpose.

  • Use separate machines for separate functions 
    like web, FTP, news, email and others. This will make it easy to secure and maintain a single purpose 
    machine. Run nothing outside what is required. Many operating systems, most notably UNIX, comes with all the features–finger, Network File System
    (NFS), ping, sendmail and others. If you run a website, you only need the HTTP and basic operating system daemons running. If you must do remote maintenance, use Secure Shell
    (SSH) instead of Telnet. If you leave daemons for your convenience, you may also be leaving them for an intruder’s convenience. 

  • Use current versions of all the software you run. Keep current version on security mailing lists in order to keep abreast of the latest problems and fixes.

  • If you collect sensitive customer information such as credit card numbers via Secured Socket Layer (SSL), do not turn them around and forward that information using ordinary email or some other insecure transmission format. Use an encrypting email package. You must protect entire data pipe-line, from user to your company and bank.

  • Never store sensitive information beneath the document root of your web server. Using nothing more than an ordinary web server, it is relatively easy to find on-line stores and then customer names, addresses and credit card numbers. Remove sensitive information as soon as possible. If it is sitting on your machine, it is accessible to the first freak that breaks in.

  • Hide the contents of directories on your web server, otherwise an intruder can get a listing of all the files in a directory. This may expose files that you do not want people to see–such as backup copies of files. There are two ways to hide these. Most web servers let you disable directory listings altogether or you can ensure all directories have an ‘index.HTML’ file in them. It can be blank or have some content, either way it misleads potential intruders. 

  • If you use CGI scripts to process form data, you need to be especially careful.

A would-be-hacker can set form values or HTTP headers to values, which get them executed by the CGI script. 

Security of database
One of the recent studies concluded that databases were the weakest links in ecommerce set-ups. The database holding customer information can be secured by making use of encryption stated below. Encrypting database has definite overheads on processors. One has to trade-off speed for security. 

ACTIVE ENCRYPTION: In this case, the encryption process is tied to the process of appending the database records. Depending on the strength of the encryption used, the entire process can decelerate due to the increased load on the server processors.

DELAYED BATCH ENCRYPTION: This process does not happen successively with record addition. It is executed at a predefined interval and all the unencrypted records are encrypted at once. They are then added to the main database. Though this process does not pose a continuous load on the server, it can pose an extremely heavy load at the time of batch processing.

Security of data in transit
SSL forms one of the best defenses against electronic intruders. The secure sockets layer is used to encrypt the entire data flow between the client and the host. This encryption is measured in bit depths. Thus, a 40-bit encryption level means that there are 240 (1,099,511,627,776) possible values for each byte that is sent between the client and the host systems. Currently, a 128 bit encryption key is in use. Both the browser used by the client as well as the host transaction server have to be capable of using an SSL link. The bit depth of the encryption applied over the link is determined by the host server. 

128-bit encryption is used and supported by most browsers and transaction servers today. This means that there are 2,128 possible values for each byte transferred. In the presence of such high encryption levels, even if the data transmitted is captured by an online eavesdropper, its decryption into real values, may take months using high-powered processors.

Detective measures 
The detective means are the intrusion detection tools and law enforcement agencies. The judiciary will take corrective steps. Both police department and judiciary need to be educated enough to understand the finer details of cyber crime. Under the compelling circumstances they have no option other than gearing up for the job.

Intrusion detection tools are capable of monitoring the host as well as the entire network system. Host based tools monitor a system or application’s log files and respond with an alarm or a counter-measure when a user attempts to gain access to unauthorized data, files or services. 

Network based intrusion detection tools monitor network traffic and respond with an alarm on identifying a traffic pattern which may be denial of a service attack or scanning attempt. These tools on detecting intrusion, immediately flash an alert message to the administrators. Several tools are available off-the-shelf.

Other security measures
Active content monitoring tools continuously monitor the organization’s systems which are connected to the internet. Firewalls enforce an access control policy between two networks. Security appliances which may be a combination of software and hardware or network load management are also effective tools for security. Social engineering attacks or penetration testing tools simulate real-world hacking and identify an enterprise’s vulnerability.

Vulnerability scanners, virtual private networks(VPNs), secure web servers, managed security services, security policy development and security utilities are few others to mention.

Ecommerce intermediaries 
Financial and technical intermediaries offer reliable, tested and secure payment processes and techniques for financial transactions. They also build confidence in
ecommerce. The list is large–Checkfree Corporation, Commercenet,
Cybercash, Digicash, Financial Services Technical Consortium, First Virtual, IBM, Internet Shopping Network, Mastercard Corporation, Microsoft, Mondex International, Netcash or
Netcheque, Open Market Inc, RSA Data security, Secure computing, Surety Technologies,
Verifone, Verisign Inc, Visa and others.

CHECKFREE CORPORATION: Checkfree offers bill payment service and online disbursement of bank payments with online service providers like Compuserve, Delphi and others. 

COMMERCENET: Commercenet is a non profit consortium of internet service providers, online sales organizations, information publishers and software companies created for an electronic market place on the internet. 

CYBERCASH: Cybercash offers secure internet payment service using combination of RSA public key and DES secret key cryptography. The credit card, debit card and electronic cash services are free from any security threat. This is one of the most widely used payment services. 

The PayNow Secure Electronic Check Service allows consumer-to-business and business-to-business fund transfers via checking accounts. The CashRegister software enables highly secure, heavily encrypted internet transactions for merchants and the ‘wallet’ allows shoppers to keep all their personal transactions in one convenient, secure place.

CyberCash also has a worldwide export license for a 1024-bit RSA encryption algorithm and offers a real-time secure credit card authentication service over the internet based on digital signatures.

DIGICASH: Digicash primarily develops and licenses electronic payment mechanisms. The company pioneered smart card chip technology and
electronic wallets. It can be used on any major operating system platform–Windows, Macintosh, UNIX. It is a coin-based system, which means that digital money is implemented by digital signatures that represent a certain fixed amount of money. Such a digital signature is called a coin. We can withdraw ‘digital money’ from a bank on the internet and store it on the computer. The ecash may then be spent over the internet at any shop that accepts it, without the need for an account and without having to transmit any credit card details. For privacy, ecash has the same advantage as paper money–anonymity of the buyer. The receiver, however, has no anonymity and must send the digital coins directly to the digital bank. The bank checks the validity of the coins and then the requisite accounts are credited, leaving no room for double spending. 

FINANCIAL SERVICES TECHNOLOGY CONSORTIUM: The Financial Services Technology Consortium is a group of government agencies, banks, financial services providers, universities and national research laboratories who sponsor and participate in noncompetitive, collaborative research and development on inter-bank technical projects.

FIRST VIRTUAL: First Virtual Holdings Inc. developed and operates the First Virtual Internet Payment Systems (FVIPs), a secure and user-friendly payment system that facilitates commercial transactions over the internet between merchants and consumers. FVIPS facilitates internet commerce through existing email technologies and Personal Identification Numbers (PINs) integrating seamlessly with established financial networks by using well accepted transaction processing
practises.

First Virtual has devised a method to conduct secure online transactions in which, customers are never required to key in their credit card number information or any other sensitive financial information over the internet.

Customers are issued a VirtualPIN which can be used at any First Virtual Seller’s website. Credit card numbers are stored off-line on secure computers not connected to the internet. When making a purchase on the internet with a
VirtualPIN, customers are emailed, asking them to confirm that purchase. Their credit card is not charged until they have replied with a ‘yes’ to the email.

IBM: CommercePOINT series of products and services of IBM are offered for business-to-business and business-to-consumer selling opportunities on the web. IBM’s private data network offers secure communications off the internet. 

INTERNET SHOPPING NETWORK: Internet shopping network is one of the largest retailing malls, offering more than 35,000 computer products from more than 1100 companies. ISN uses Netscape Secure Commerce Server.

MASTERCARD CORPORATION, VISA: Mastercard International along with Visa and others has developed Secure Electronic Transaction specification(SET). An advantage of SET protocols is the integrated use of digital certificates, issued by a trusted certification authority.

MICROSOFT: Microsoft money, internet browser and several commerce and information servers have made Microsoft a dominant player. Electronic Commerce application building is made easy by Microsoft. 

MONDEX INTERNATIONAL: Mondex has implemented digitally signed electronic cash encoded in smart cards, which can be exchanged between consumers and merchants or individuals who have Mondex devices. These cards have a facility to use personal password. It can be used on ATM and different currencies can be loaded in it.

NETCASH OR NETCHEQUE: This product is developed by the University of Southern California and is intended to be a basis for real time payment through the internet. NetCash offers security, anonymity, scalability, acceptability and interoperability.

NETSCAPE COMMUNICATIONS CORPORATION: Netscape was the first in offering secure world wide web commerce server. Secure Sockets Layer (SSL) is the greatest contribution which has become a de facto standard for secure internet protocol. This is distinct from the widely distributed world wide web browser.

RSA DATA SECURITY INC: Ron Rivest, Adi Shamir
and Len Adleman are inventors of public encryption scheme and RSADSI is owner of all the
significant patents. All major standards, specifications and schemes supporting secured and encrypted online transactions use algorithms provided by
RSADSI.

VERIFONE: Verifone has dominated in point of sales(POS) business terminals for credit card payment authorization service. They have also leveraged into smart card business.

CYBER CERTIFICATION: The ecommerce security aspect would be
incomplete with the cyber certification process, third party assurance and trust mark. Cyber certification is designed to meet the need to create trust and credibility with customers and business partners in ecommerce. Such a certificate is issued by a third party of repute and standing. The website acquires a seal from such a trusted party and the seal appears on the page.The trust mark indicates that the organization has taken adequate care and considerable effort to properly manage and secure the ecommerce process.

Various types of cyber certifications are being issued. They are very specific to the processes employed. Few of them are:

  • Advertising assurance

  • Privacy

  • Healthcare System

  • Certificate Authority Root Key

  • Certificate Practice Statement

  • Certificate for Java Development 

Conclusion
The availability of various security and legislative measures coupled with cyber certification processes make ecommerce a viable proposition. Further, ecommerce intermediaries assure netizens of safe, secure and reliable transactions. It is only a matter of time before one witnesses total
implementation of ecommerce.

Haridas Raigaga
is Managing Consultant with Ernst & Young, Mumbai
 

Leave a Reply

Your email address will not be published. Required fields are marked *