conducting e-commerce with peter paolucci, ph.d
TRANSCRIPT
CONDUCTING E-COMMERCE
with
Peter Paolucci, Ph.D.
10 LIES ABOUT E-COMMERCE
Instant and ubiquitous availability Simplifies buyer-seller relationship Reduced paperwork Reduced errors, time & overhead costs Reduced time to complete transactions Easier entrance into new markets Provides new business opportunities Wider access to experts and peers Improved product analysis Streamlined purchasing process
TCP/IP
How info is transported “Transmission Control
Protocol”
How info is addressed “Internet Protocol”
TCP/IP Key points
Routers handle packets
Packets follow corridors Every new router is a “hop” Packet acknowledgment when rec’d
Info moves in pieces: not in 1 chunk
TCP/IP Considerations
Check tracert and ping Every hop = potential security
weakness
Solutions VPN (virtual private network) Encryption
FRAMES & PACKETS
“packet” vs “frame”
Packet = any piece of information transmitted across Internet
Frame = information passed between hosts on a Ethernet network
DataHeader Trailer
SERVER CHOICES Proprietary vs open standard solutions Scalability Support levels (human resources) Hardware & licensing costs Access Frequency of patches/updates needed Hosted/owner by whom?
SERVER CHOICES I Kind of server affects your
security issues
Apache (Unix or Microsoft) Linux Netscape Suite Spot Microsoft IIS Lotus Notes Novell
SECURITY METHODS
Authentication (personal/domain/machine)
Data confidentiality (encryption)
ABOUT SECURITY What is security in non-Internet context? What is security in the Internet context? How secure can a system/transaction be? How much money and resources should you
spend?
SECURITY ISSUES
Confidentiality Privacy Data integrity System integrity
AUTHENTICATION
Who are you? Are you really you? Is this action from your computer? Is this action from your domain? Is this action from your ISP? Is the content of the transmission strictly confidential? Has message integrity been retained? (no tampering)
E-AUTHENTICATION
Is this your credit card? Is this your bank? Do you have the funds?
SYMMETRIC ENCRYPTION
AKA “single key” encrypts and decrypts 1 password on both ends (shared secret) Same key encrypts AND decrypts Best to arrange shared password (“key”) in a
secure manner Original message is called “plain text” Encrypted message is called “cipher text”
CRYPTOGRAPHY What is encryption?
1. Hello = 8-5-12-12-15 (how hard is it to steal this key?)
2. Hello = I-F-M-M-P (how hard is it to steal this key?
3. Hello = &%$iIwoie&4@!)(-09UtT (how hard is it to steal this key?)
CRYPTOGRAPHY
Factors1. Secrecy of key
(how hard is it to steal the key)
2. Difficulty of algorithm (complexity of formula)
3. Back doors What method used to generate
randomness (predicable patterns such as system time can be read and mimicked)
[see RSA as an example]
CRYPTOGRAPHY Factors
4. key length 20 bits = 2 to the20th power or 1,048,576 possible values
exist 48 bit now crackable in a matter of minutes 128 bit is standard and would take years to crack US govt allowed up to 40 but max. for products exported
for USA
ONE-WAY ENCRYPTION Aka “hash encryption”
Once password (key) has been encrypted it can never be decrypted
Typical use: ATM machine cards
Used in NT and Unix
For NT and Unix, the admin never knows what a pwd is: they must always create a new password
SYMMETRIC ENCRYPTION: EXAMPLE Ted
Mary
PasswordPlain Text
Cipher TextCipher Text
Plain TextPassword
PLAIN TEXT
CIPHER TEXT
ASYMMETRIC ENCRYPTION
Aka “public key cryptography” (MIT early 1970’s)
1 key for encrypt + 1 for decrypt X sends to Y with Y’s public key: only Y’s
private key can decrypt Reversible:
A encrypts, B can decrypt + vice versa The pairs are matched set 1 key is public: another is private Secure but slow
ASYMMETRIC ENCRYPTION EXAMPLE
Ted’s Private + Public (Random Symmetric)
+ Mary’s Public= (produces)Cipher Text
Mary’s PrivateRandom Public (automatic)
Ted’s Public= (produces)
Plain text
SECURITY STANDARDS
Set by NCSC (North Carolina Supercomputing Center) So-called “orange book”
Level D: minimal or not secure at all -- (like MS Dos); no user distinctions
Level C1: rudimentary access control (login authentication)
Level C2: unique users; system level protection (like Unix)
Level B1: mandatory access control; varied security level; user cannot change permissions on files/directories
SECURITY STANDARDS
Level B2: every file labeled according to its security
level; labels change dynamically Level B3: hardware protection(terminals only connect
through trusted paths); data hiding
Level A1: requires rigorous mathematical proof that system cannot be compromised; also proof that hardware-software must have been protected during shipment to prevent tampering
SECURITY WEAKNESSES Humans: passwords, procedures File system permissions System allows bad passwords Poor firewalls Bugs known and unknown Poor auditing of events Not changing system defaults Restrict parameter/field access in data bases
(along with carefully built CGI)
HACKING METHODS Password and packet sniffing (software &
hardware) Spoofing (brute force or dictionary or
enlightened) Account cracking via dictionary programs Decryption & Brute-force decryption Old-fashioned snooping Capitalizing on system access when someone
leaves their desk
CUSTOMER TRUST Success and Horror Stories
(http://www.zdnet.com/anchordesk/story/story_2759.html)
Customer Protection Tips You Should Address (http://www.paytips.org/contips.htm)
Other “trust” issues
STRATEGIES IN E-COMMERCE
Appropriate goods and services for the Net Successful Marketing (spam, mailers, browser harvesting) Designing a successful storefront Models of Doing Business Promotion (engines, engine ad banners, newsgroups, listservs) Meta, Title and other HTML tags (what the engines
want & some legalities) Competing with the “bot” shoppers Internet Demographics& Miscellaneous
MODEL’S OF DOING BUSINESS
Credit card: Manual (delayed) vs Automated (immediate)
Cyber Cash(http://www.cybercash.com/)
Traditional cheque Cybercash bought by Verisign The bad news about Verisign
THE PROCESS If the client already has a merchant
number You may not use the same # for internet Apply to each of the 3 (or 4) credit cards individually
(Amex, Visa, MC, Discovery) Problem: which visa? CIBC? TD-Canada Trust? BOM? Which MC? Amex not a problem
Learn Canada /Internet Secure
Internet Secure is a broker for all banks and credit cards
One time set up: $395 Send in voided cheque Form to fill out includes
Company name, address, incorporation #, business type (proprietary, sole, corporation) website, description of service, minimum/maximum value of any given order, contact person, pick id and pwd
Learn Canada /Internet Secure
Bring ETF (Electronic Funds Transfer Form) to bank to verify account name and legality of account and its use
Determine funds: us or cdn or both Signed by bank official Establish price catalogue and codes Go to Internet Secure and enter catalogue
prices and code numbers
Fee Structure
CANADIAN DOLLARSCANADIAN DOLLARS
SETUPSETUP MONTHLYMONTHLY / TRANS/ TRANS PLUSPLUS
$395$395 $45$45 $.45$.45 3.75% Visa3.75% Visa
4% Amex4% Amex
$395$395 $25$25 $1.50$1.50 4% Visa4% Visa
4.5% Amex4.5% Amex
$0$0 $20$20 $0$0 9% all9% all
Fee Structure
USA DOLLARSUSA DOLLARS
SETUPSETUP MONTHLYMONTHLY / TRANS/ TRANS PLUSPLUS
$395$395 $35$35 $1.00$1.00 3.75% Visa3.75% Visa
4% Amex4% Amex
$395$395 $25$25 $1.50$1.50 4% Visa4% Visa
4.5% Amex4.5% Amex
$0$0 $20$20 $0$0 9% all9% all
FEE STRUCTURE
Additional fee is either a security deposit (ranging from $4000 up) such as cash or assets
RMRF (Rolling Merchant Reserve Fund) in which they withhold 8% of your sales for 6 months and pay it to you in the 7th month
Transactions are deposited automatically on the 15th and 30th of every month