SECURITY SCHEMES AGAINST INTERNET FRAUD - E-Commerce Concepts

Security Issues

The Internet is a huge place that hosts several millions of people. As all the people are not honest, illegal activity’ is inevitable. Statistics show that only 10% of computer client is reported and only 2% of the reported client results in with convictions.

There are two basic types of criminal activities:

  • The person who tries to understand and learn the various systems and capabilities of any private network. In this case the person has no intentions to do any damage or to steal any resources but tries to observe the system functionality. For example teenagers who tries to enter into a network out of curiosity till they are caught or deducted.
  • The persons who uses the Internet and the Web to benefit themselves by doing illegal activities such as, stealing software’s, information and causing damage to resources. This type of criminal activity raises the concern for network security.

A large system like Internet has many holes and crevices in which a determined person can easily find the way to get into any private network. There are many terms used to signify the computer criminals.

Type of Computer Criminals

  • Hacker-is a person who has good knowledge about computers and tries to open the data packets and steal the information transmitted through the Internet.
  • Cracker-is someone who specifically breaks into computer systems by bypassing or by guessing login passwords. These persons enter into the network as authenticated users and can cause any harm to the system.
  • Phreaks-are persons who hack phone systems. These people specifically try to scam long distance phone-time for them to control phone switch capability or to hack company automated EBX systems to get free voice-mail accounts or to raid companies existing voice-mail messages.
  • Phracker-is the combination of freak and cracker. A phracker breaks into phone systems and computer systems and specializes in total network destruction.

Another major issue in the Internet security is misrepresentation and fraud. One ofthe reasons of misrepresentation is that on the net it is easy to appear as anyone or anything without the actual presence. For example, shops site displaying goods, which the dealer may not have them physically. But at the same time, creating a scam site is not as easy as it seems to be, because one must host pages somewhere, which makes the provider responsible for the content. For this reason, most Web site providers examines sites and have access to the information that is been provided. With the rapid growth in use of Internet, in future the number of fraud cases in which perpetrators create their own provider site will probably increase. This is possible specially, in case of offshore servers where laws are more favorable to the criminal and enforcement will be very difficult. For this reason, it is increasingly important for Web users to protect themselves.

Encryption is a technique for hiding data. The encrypted data can be read only by those users for whom it is intended. Nowadays various encryption techniques are available.

One of the available techniques commonly used for encryption is Public Key. In Public Key encryption system, RSA Data Security of Redwood City offers the most popular and commercially available algorithm. In a Public Key encryption system each user has two keys-public key and private key. The encryption and decryption algorithms are designed in a way so that only the private key can decrypt data that is encrypted by the public key. And the public key can decrypt data, encrypted by the private key. Therefore, one can broadcast the public key to all users.

Computer encryption is based on the science of cryptography, which has been used throughout history. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes.

Most computer encryption systems belong in one of two categories. Broadly speaking, there are two types of encryption methods:

  • Secret-key encryption
  • Public-key encryption

SECRET - KEY ENCRYPTION

SECRET - KEY ENCRYPTION

Secret-key encryption, also known as symmetric encryption, involves the use of a shared key for both encryption by the transmitter and decryption by the receiver. Secretkey encryption works in the following way: Anne wishes to send a purchase order (PO) to Bob in such a way that only Bob can read it. Anne encrypts the PO (the plaintext) with an encryption key and sends the encrypted PO (the cipher text) to Bob. Encryption scrambles the message, rendering it unreadable to anyone but the intended recipient. Bob decrypts the cipher text with the decryption key and reads the PO. Note that in secret-key encryption, the encryption key and decryption key are the same (see Fig.).

The transmitter uses a cryptographic secret “key” to encrypt the message, and the recipient must use the same key to decipher or decrypt it. A widely adopted implementation of secret-key encryption is data encryption standard (DES). Although secret-key encryption is useful in many cases, it has significant limitations. All parties must know and trust each other completely, and have in their possession a Anne Encrypt Decrypt Bob Internet protected copy of the key. If the transmitter and receiver are in separate sites, they must trust not being overheard during face-to-face meetings or over a public messaging system (a phone system, a postal service) when the secret key is being exchanged. Anyone who over-hears or intercepts the key in transit can later use that key to read all encrypted messages.

SECRET - KEY ENCRYPTION

Since shared keys must be securely distributed to each communicating party, secretkey encryption suffers from the problem of key distribution-generation, transmission, and storage of keys. Secure key distribution is cumbersome in large networks and does not scale well to a business environment where a company deals with thousands of online customers. Further, secret-key encryption is impractical for exchanging messages with a large group of previously unknown parties over a public network.

For in-stance, in order for a merchant to conduct transactions securely with Internet subscribers, each consumer would need a distinct secret key as-signed by the merchant and transmitted over a separate secure channel such as a telephone, adding to the overall cost. Hence, given the difficulty of providing secure key management, it is hard to see secret-key encryption becoming a dominant player in electronic commerce. If secret encryption cannot ensure safe electronic commerce, what can? The solution to widespread open network security is a newer, more sophisticated form of encryption, first developed in the 1970s, known as public-key encryption.

Public-Key Encryption

Public-key encryption, also known as asymmetric encryption, uses two keys: one key to encrypt the message and a different key to decrypt the message. The two keys are mathematically related so that data encrypted with one key only be decrypted using the other.

Unlike secret-key encryption, which uses a single key shared by two (or more) parties, public-key encryption uses a pair of keys for each party. One of the two keys is “public” and the other is “private.” The public key can be made known to other parties; the private key must be kept confidential and must be known only to its owner. Both keys, however, need to be protected against modification.

The best known public-key encryption algorithm is RSA (named after its inventors Rivest, Shamir, and Adleman). In the RSA method, each participant creates two unique keys, a “public key,” which is published in a sort of public directory, and a “private key,” which is kept secret. The two keys work together; whatever data one of the keys “locks,” only the other can unlock.

For example, if an individual wants to send a snoop-proof email message to a friend, she simply looks up his public key and uses that key to en-crypt her text. When the friend receives the e-mail, he uses his private key to convert the encrypted message on his computer screen back to the sender’s original message in clear text. Since only the bona fide author of an encrypted message has knowledge of the private key, a successful decryption using the corresponding public key verifies the identity of the author and ensures message integrity. Even if a would-be criminal intercepts the message on its way to the intended recipient, that criminal has no way of deciphering the message without the private key.

The computer handles the hard work of manipulating the large numbers used in the math of encrypting and decrypting messages. Table compares secret- and public key systems. Both types of systems offer advantages and disadvantages. Often, the two are combined to form a hybrid system to exploit the strengths of each method. To determine which type of encryption best meets its needs, an organization first has to identify its security requirements and operating environment. Public-key encryption is particularly useful when the parties wishing to communicate cannot rely on each other or do not share a common key. This is often the case in online commerce. Another prominent public key method being used in online commerce today is called Digital Signatures

Table Comparing Secret key and public key Encryption methods.

Comparing Secret key and public key Encryption methods

Digital Signature

Digital signatures are used for sending authentication. This also means that the originator cannot falsely deny having signed the data. In addition, a digital signature enables the computer to notarize the message, ensuring the recipient that the message has not been forged transit.

Let us consider the following scenario of a customer, interacting with a merchant, Online mart. When the customer orders something from Online mart, he uses Online mart’s public key to encrypt her confidential information. Online Mart then uses its private key to decrypt the message (only a private key can unlock a document deciphered with a public key); thus the customer knows that only Online Mart received that data. To ensure further security, the customer can enclose a digital signature, encrypted with her own private key, which Online Mart could decrypt with the customers public key and know that only the particular customer could have sent it. In the other direction Online mart would send confidential information to the customer using her public key, and only she can decrypt it using her private key. This shows how digital signature works in combination with public key encryption to ensure authentication and privacy.

Technically, How Do Digital Signatures Work?

Data is electronically signed by applying the originator’s private key to the data. To increase the speed of the process, the private key is applied to a shorter form of the data, called a “hash” or “message digest,” rather than to the entire set of data. The resulting digital signature can be stored or transmitted along with the data. The signature can be verified by any party using the public key of the signer. This feature is very useful, for example, when distributing signed copies of virus-free .software. Any recipient can verify that the program re-mains virus-free. If the signature verifies properly, then the verifier has confidence that the data was not modified after 1:Jeing signed and that the owner of the public key was the signer.

Digital signatures ensure authentication in the following way. In order to digitally sign a document, a user combines her private key and the document and performs a computation on the composite (key+docurnent) in order to generate a unique number called the digital signature. For example, when an electronic document, such as an order form with a credit card number, is run through the digital signature process, the output is a unique “fingerprint” of the document. This “fingerprint” is attached to the original message and further encrypted with the signer’s private key. If a user is communicating with her bank, she sends the result of the second encryption to her bank. The bank then decrypts the document using her public key, and checks to see if the enclosed message has been tampered with by a third party.

To verify the signature, the bank performs a computation involving the original document, the purported digital signature, and the customer’s public key. If the results of the computation generate a matching “fingerprint” of the document, the digital signature is verified as genuine; otherwise, the signature may be fraudulent or the message altered.

Digital signatures, variations of which are being explored by several companies, are the basis for secure commerce. A digital signature provides a way to associate the message with the sender, and is the cyberspace equivalent of “signing” for purchases. In this way, consumers can use credit card accounts over the Internet.

Digital Certificates

Authentication is further strengthened by the use of digital certificates. Before two parties, Bob and Alice, use public-key encryption to conduct business, each wants to be sure that the other party is authenticated. Before Bob accepts a message with Alice’s digital signature, he wants to be sure that the public key belongs to Alice and not to someone masquerading as Alice on an open network. One way to be sure that the public key belongs to Alice is to receive it over a secure channel directly from Alice. However, in most circumstances this solution is not practical.

An alternative to the use of a secure channel is to use a trusted third party to authenticate that the public key belongs to Alice. Such a party is known as a certificate authority (CA). Once Alice has provided proof of her identity, the certificate authority creates a message containing Alice’s name and her public key. This message, known as a certificate, is digitally signed by the certificate authority. It contains owner identification information, as well as a copy of one of the owner’s public keys. To get the most benefit, the public key of the certificate authority should be known to as many people as possible. Thus by using one public key (that of a CA) as a trusted third- party means of establishing authentication, disparate parties can engage in electronic commerce with a high degree of trust. In many ways, digital certificates are the heart of secure electronic transactions.

Through the use of a common third party, digital certificates provide an easy and convenient way to ensure that the participants in an electronic commerce transaction can trust each other. For example, in the credit card industry, Visa provides digital certificates to the card-issuing financial institution, and the institution then provides a digital certificate to the cardholder. A similar process takes place for the merchant. At the time of the transaction, each party’s software validates both merchant and cardholder before any information is exchanged. The validation takes place by checking the digital certificates that were both issued by an authorized and trusted third party. In short, digital certificates ensure that two computers talking to each other may successfully conduct electronic commerce.

Firewall

A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. Let’s say that you work at a company with 500 employees. The company will therefore have hundreds of computers that all have network cards connecting them together. In addition, the company will have one or more connections to the Internet through something like T1 or T3 lines.

Without a firewall in place, all of those hundreds of computers are directly accessible to anyone on the Internet. A person who knows what he or she is doing can probe those computers, try to make FTP connections to them, try to make telnet connections to them and so on. If one employee makes a mistake and leaves a security hole, hackers can get to the machine and exploit the hole.

With a firewall in place, the landscape is much different. A company will place a firewall at every connection to the Internet (for example, at every T1 line coming into the company). The firewall can implement security rules. For example, one of the security rules inside the company might be:Out of the 500 computers inside this company, only one of them is permitted to receive public FTP traffic. Allow FTP connections only to that one computer and prevent them on all others. A company can set up rules like this for FTP servers, Web servers, Telnet servers and so on. In addition, the company can control how employees connect to Web sites, whether files are allowed to leave the company over the network and so on. A firewall gives a company tremendous control over how people use the network. Firewalls use one or more of three methods to control traffic flowing in and out of the network:

  • Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
  • Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
  • Stateful inspection - A newer method that doesn’t examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information.

Information travelling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded

Creating a Secure System

It’s a known saying Prevention is the best medicine and this implies equally well to compute security. The” first step is to keep the security of your data files such that only the right people can see them. This is especially crucial for any of the following types of data and files.

  • User passwords
  • Billing files
  • System and user logs
  • Credit card information
  • Trusted remote system information
  • Compiler
  • Administration tools

User passwords and usage logs should be kept secure to keep pirate from looking at those files to figure out how to gain further access to your system. Keeping your password files shadowed or hidden keeps pirates from remotely acquiring your file and then running password cracking programs on the file in their own time.

Finally, be sure to protect administration tools as well as compiler. General users to your system should not have access to these tools because, if they fall into wrong hands, the tools can be used to create programs that aid the pirate in greasing security.”

Storing Secure Information

The most insure part of the Internet is not the Net itself but the source and destination of users and computers on the net. As the user of the system, you should know the place and the method to store your data. When you are connected to the network your personal system is vulnerable. Because of the nature slip type connectivity and TCP/IP networks, someone else could be probing your system while you are working. Decrypted data residing on your hard disk may be available to outside for snooping. As server and browser security increases almost pirates will be driven to breaking into the system at the source or at the destination. This information of-course applies equally to the both the user and the storeowner. Storeowners must ensure that product information database is secure.

Again store owners should ensure that they encrypt archived transactions, as well as transactions in the process of being fulfilled. If a business can afford only lesser security then the best you can do is keep permissions of files hidden from pirates. One of the best security measures that you can take for physically stored data is to have hardware password protection. Many commercial products provide this facility and often work well to keep the data secure. Another security measure is to delete the not required data or information. Simply deleting the information is not enough. Pirates can easily undelete previously deleted information. They can even unformatted a formatted disk after securely deleting file defrayment your drive using any popular disk utility. Such program ensures that the original structure of the disk is recognized leaving no recoverable data. The best solution is to use programs like the Defense Departments recommended secure delete program.

Such programs are available in software archives throughout the Internet. Before marking the file as deleted, such programs first write repeating sequences of bits to each bit within the file. This ensures that magnetic particles are mixed several times so that traces of data are not readable. Another type of pirating is also done by using, the electromagnetic emissions that come from the monitors. In the early age of computing, programmers could debug programs by turning on a radio and placing it near the computer.

The internal clock speed of the computer would oscillate like the radio stations. So they could hear the programming sequence running on the computer. The programmers soon learn how to interpret the different sound frequencies to determine what was happening in their program. A type of technology and research called TEMPEST is available that can reverse this electromagnetic radiation into a reasonable reproduction of the original information. The degree of security for computer connected Into Internet, depends upon the requirements and cost. Every one should take the basic measures of creating secure passwords, not leaving printouts laying around, and keeping hard” Yare secure. One should encrypt sensitive data that sent over the Internet. The basic measures should be enough to cover the average security standards for the company. But monitor the system in, regular intervals. If security breaches are encounter, more sophisticated security measures should be implemented. Particularly, the companies are vulnerable those are involved in national security or those that have such companies as clients.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

E-Commerce Concepts Topics