Security and Encryption


Security and Encryption
Need for Security and Encryption in Ecommerce
Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised. Following are the essential requirements for safe e-payments/transactions −
Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission.
Integrity − Information should not be altered during its transmission over the network.
We all have the one common question, whether we have received the same data that the sender has sent. Now it is the duty for integrity for the correctness of the information that has been transmitted or received or displayed on a website over the internet. 
Integrity can ensure that information on the internet has not been altered in any way by an unauthorized party. It maintains the consistency, accuracy, and trustworthiness of the information over its entire life cycle. 
Customer perspective on integrity: Is the information I have transmitted or received is altered? 
Merchant perspective on integrity: Is the information present on the website is altered without an authorization? Is the information received from the customer is valid or not? 
Example: The most common threat will be “would any unauthorized person will intercept and redirect payment into a different account” since ecommerce sites prefer online transfer mostly. 
Let us consider a subscription model, where you will give credit card details for a bill payment to the merchant. If someone added extra cost on your credit card bill without both yours or merchant’s knowledge, then you need to pay extra money for something you haven't purchased.

Availability − Information should be available wherever and whenever required within a time limit specified.

Continuous availability of the data is the key to provide a better customer experience in ecommerce. The continuous availability of the ecommerce website increases online visibility, search engine rankings, and site traffic. Data which is present on the website must be secured and available 24x7x 365 for the customer without downtime. If it is not, it will be difficult to gain a competitive edge and survive in the digital world. 
Customer perspective: Can I access the site at any time from anywhere? 
Merchant perspective: Whether my site is operating without any downtime? 
Example: An ecommerce website can be flooded with useless traffic that causes to shut down your site, making impossible for the user to access the site. 
Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information.
In ecommerce, since both the customer and seller need to trust each other, they must remain as who they are in real. Both the seller and buyer must provide proof of their original identity so that the ecommerce transaction can happen securely between them.  
Every ecommerce site uses authenticity as a tool to ensure the identity of the person over the internet. In ecommerce, fraudulent identity and authentication are also possible, which makes identity a difficult process. Some common ways to ensure a person's identity are customer log in using a password. 
Customer perspective: Who am I dealing with? Who can I assure the person I am dealing with is who they claim to be? 
Merchant perspective: Is the customer that I am communicating are a real person? If not, what could be their identity? 
Example: Some users can use a fake email address to access any of the ecommerce services. 
Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt.
Good business depends on both buyers and sellers. They must not deny any facts or rules once they accept that there should not be any repudiation. 
Non-repudiation confirms whether the information sent between the two parties was received or not. It ensures that the purchase cannot be denied by the person who completed the transaction. In other words, it’s an assurance that anyone cannot deny the validity of transaction.  
Mostly non-repudiation uses a digital signature for online transactions because no one can deny the authenticity of their signature on a document. 
Customer perspective: Can a party take action on me if I have denied the action? 
Merchant perspective: It’s possible for a customer to deny a product after ordering it. 
Example: When a merchant doesn’t have enough proof of customers who have ordered with them during a credit card payment transaction, it will not be processed further to the merchant. 
Sometimes customers claim that they haven't ordered the product from a particular merchant if they disliked the product later. 

Encryption − Information should be encrypted and decrypted only by an authorized user.
Auditability − Data should be recorded in such a way that it can be audited for integrity requirements.
Confidentiality 
Confidentiality refers to protecting information from being accessed by an unauthorized person on the internet. In other words, only the people who are authorized can gain access to view or modify or use the sensitive data of any customer or merchants. 
According to Juniper Research, nearly 146 billion records will be exposed by criminal data breaches between 2018 and 2023. 
One confidentiality breach will be sniffing. It's a program that steals all the important files of the company, individual identity or email message or personal report of the internet user. 
Customer perspective: Can someone other than the intended recipient or a person read my message? 
Merchant perspective: Whether information on my site can be accessed by the unauthorized person without knowledge? 
Example: Ecommerce uses a user name and password to login to their account. Let’s consider this case for resetting the password, where an ecommerce site sends a one-time password to their customer in email or phone number if someone else reads it. 
Privacy 
Where confidentiality is a concern about the information present during communication, privacy is concerned with personal details. In general, privacy is used to control the usage of information by the customers that they have given to the merchant. 
According to Fortune, 1.16 billion email address and passwords are exposed in 2019 through security breaches. 
Privacy is a major threat to any online transaction or internet user since personal information has been revealed and there is no way back to disclose them. 
Customer perspective: Can I control the usage of information about myself that I have transmitted to the ecommerce site?  
Merchant perspective: What if anyone else uses personal data collected as part of the ecommerce transaction? Is there any unauthorized person to access a customer’s personal data? 
Example: If a hacker breaks into the ecommerce site, they can gain access to the customer credit card details or any other customer information. This also violates information confidentiality and personal privacy. 

Measures to ensure Security
Major security measures are following −
Encryption − It is a very effective and practical way to safeguard the data being transmitted over the network. Sender of the information encrypts the data using a secret code and only the specified receiver can decrypt the data using the same or a different secret code.
Digital Signature − Digital signature ensures the authenticity of the information. A digital signature is an e-signature authenticated through encryption and password.
Security Certificates − Security certificate is a unique digital id used to verify the identity of an individual website or user.
Security Protocols in Internet
We will discuss here some of the popular protocols used over the internet to ensure secured online transactions.
Secure Socket Layer (SSL)
It is the most commonly used protocol and is widely used across the industry. It meets following security requirements −
Authentication
Encryption
Integrity
Non-reputability
"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used for HTTP urls without SSL.
Secure Hypertext Transfer Protocol (SHTTP)
SHTTP extends the HTTP internet protocol with public key encryption, authentication, and digital signature over the internet. Secure HTTP supports multiple security mechanism, providing security to the end-users. SHTTP works by negotiating encryption scheme types used between the client and the server.
Secure Electronic Transaction
It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is the best security protocol. It has the following components −
Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make secure purchases online via point and click interface.
Merchant Software − This software helps merchants to communicate with potential customers and financial institutions in a secure manner.
Payment Gateway Server Software − Payment gateway provides automatic and standard payment process. It supports the process for merchant's certificate request.
Certificate Authority Software − This software is used by financial institutions to issue digital certificates to card holders and merchants, and to enable them to register their account agreements for secure electronic commerce.

Comments

Post a Comment

Popular posts from this blog

Work certified and uncertified

Meaning of Work Certified  When contractor takes the contract to complete any construction work, it may complete in 4 or 5 years. but contractor has to pay different expenses for material, labor and others. So, it is very necessary to pay him some money of contract. This money is given on the basis of work done. So, any part of construction which is completed by contractor will be work certified if it is certified by an authority. Authority may be independent engineer or architect who can estimated the work. He will issue the certificate of work done after certifying the work of construction. On this work certified, contractor has right to get money of contract. Meaning of Work Uncertified Work uncertified means work done but not certified by authority. So, contractee will cut some money on the basis of work uncertified and will keep in his pocket. This will be retention money. Accounting Treatment of Work Certified and Work Uncertified  (I) Work  certified and work unce
Read more

Sale of Goods Act- Conditions and Warranties

Image
The Sale of Goods Act, identifies the terms, ‘Conditions’ and ‘Warranties’ as being of a prime significance in a contract of sale. Both the terms imply a promise that is made by the seller. However, the difference between Conditions and Warranties arises due to the nature of the promise that is made in each case. In the case of ‘Condition’ the impact is on the very essence of the contract; whereas, in the case of ‘Warranty’, the promise is in the nature of a collateral to the main purpose of the contract. It is thus evident that if there is a breach of either, a condition or a warranty, the effects will be different. Illustration 1:   Sita bought a wet grinder from an electric shop. The purpose for which the grinder was to be used was known to the seller. The grinder was unfit for the purpose. In this case there is a breach of an express condition by the electric shop and Sita is entitled to return the grinder and be refunded the money paid. Illustration 2:   Varuna bought a
Read more

E Commerce Security environment

THE ECOMMERCE SECURITY ENVIRONMENT What is eCommerce Security? eCommerce security refers to the principles which guide safe electronic transactions, allowing the buying and selling of goods and services through the Internet, but with protocols in place to provide safety for those involved. Successful business online depends on the customers’ trust that a company has eCommerce security basics in place. Privacy One of the most obvious eCommerce security basics is privacy, which in this situation means not sharing information with unauthorized parties. When you shop online, your personal details or account information should not be accessible to anyone except the seller you have chosen to share it with. Any disclosure of that information by the merchant would be a breach of confidentiality. The business is responsible to provide at least the minimum in encryption, virus protection, and a firewall so that bank details and credit card information remain private. Integrity A s
Read more